The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1061
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) ===
From af5f70c4b52732b25941766c1f7004595eebd49e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Mon, 27 Jun 2016 15:11:16 -0400 Subject: [PATCH 1/2] apparmor: allow mount move MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- config/apparmor/abstractions/container-base | 18 ++++++++++++++++++ config/apparmor/abstractions/container-base.in | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base index 9452f66..7533fdb 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -124,6 +124,24 @@ mount options=(rw,bind) /sy[^s]*{,/**}, mount options=(rw,bind) /sys?*{,/**}, + # allow moving mounts except for /proc, /sys and /dev + mount options=(rw,move) /[^spd]*{,/**}, + mount options=(rw,move) /d[^e]*{,/**}, + mount options=(rw,move) /de[^v]*{,/**}, + mount options=(rw,move) /dev/.[^l]*{,/**}, + mount options=(rw,move) /dev/.l[^x]*{,/**}, + mount options=(rw,move) /dev/.lx[^c]*{,/**}, + mount options=(rw,move) /dev/.lxc?*{,/**}, + mount options=(rw,move) /dev/[^.]*{,/**}, + mount options=(rw,move) /dev?*{,/**}, + mount options=(rw,move) /p[^r]*{,/**}, + mount options=(rw,move) /pr[^o]*{,/**}, + mount options=(rw,move) /pro[^c]*{,/**}, + mount options=(rw,move) /proc?*{,/**}, + mount options=(rw,move) /s[^y]*{,/**}, + mount options=(rw,move) /sy[^s]*{,/**}, + mount options=(rw,move) /sys?*{,/**}, + # generated by: lxc-generate-aa-rules.py container-rules.base deny /proc/sys/[^kn]*{,/**} wklx, deny /proc/sys/k[^e]*{,/**} wklx, diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 68db43d..022d04d 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -124,3 +124,21 @@ mount options=(rw,bind) /sy[^s]*{,/**}, mount options=(rw,bind) /sys?*{,/**}, + # allow moving mounts except for /proc, /sys and /dev + mount options=(rw,move) /[^spd]*{,/**}, + mount options=(rw,move) /d[^e]*{,/**}, + mount options=(rw,move) /de[^v]*{,/**}, + mount options=(rw,move) /dev/.[^l]*{,/**}, + mount options=(rw,move) /dev/.l[^x]*{,/**}, + mount options=(rw,move) /dev/.lx[^c]*{,/**}, + mount options=(rw,move) /dev/.lxc?*{,/**}, + mount options=(rw,move) /dev/[^.]*{,/**}, + mount options=(rw,move) /dev?*{,/**}, + mount options=(rw,move) /p[^r]*{,/**}, + mount options=(rw,move) /pr[^o]*{,/**}, + mount options=(rw,move) /pro[^c]*{,/**}, + mount options=(rw,move) /proc?*{,/**}, + mount options=(rw,move) /s[^y]*{,/**}, + mount options=(rw,move) /sy[^s]*{,/**}, + mount options=(rw,move) /sys?*{,/**}, + From efab898b55a1e1eeb01e2e9c36d4716cc1cc6191 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Mon, 27 Jun 2016 15:15:15 -0400 Subject: [PATCH 2/2] apparmor: Allow all the mount states MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- config/apparmor/abstractions/container-base | 21 +++++++++------------ config/apparmor/abstractions/container-base.in | 21 +++++++++------------ 2 files changed, 18 insertions(+), 24 deletions(-) diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base index 7533fdb..0aacb6a 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -93,18 +93,15 @@ # deny reads from debugfs deny /sys/kernel/debug/{,**} rwklx, - # allow paths to be made shared, rshared, private or rprivate - mount options=(rw,shared) -> /, - mount options=(rw,shared) -> /**, - - mount options=(rw,rshared) -> /, - mount options=(rw,rshared) -> /**, - - mount options=(rw,private) -> /, - mount options=(rw,private) -> /**, - - mount options=(rw,rprivate) -> /, - mount options=(rw,rprivate) -> /**, + # allow paths to be made slave, shared, private or unbindable + mount options=(rw,make-slave) -> **, + mount options=(rw,make-rslave) -> **, + mount options=(rw,make-shared) -> **, + mount options=(rw,make-rshared) -> **, + mount options=(rw,make-private) -> **, + mount options=(rw,make-rprivate) -> **, + mount options=(rw,make-unbindable) -> **, + mount options=(rw,make-runbindable) -> **, # allow bind-mounts of anything except /proc, /sys and /dev mount options=(rw,bind) /[^spd]*{,/**}, diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 022d04d..efeab82 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -93,18 +93,15 @@ # deny reads from debugfs deny /sys/kernel/debug/{,**} rwklx, - # allow paths to be made shared, rshared, private or rprivate - mount options=(rw,shared) -> /, - mount options=(rw,shared) -> /**, - - mount options=(rw,rshared) -> /, - mount options=(rw,rshared) -> /**, - - mount options=(rw,private) -> /, - mount options=(rw,private) -> /**, - - mount options=(rw,rprivate) -> /, - mount options=(rw,rprivate) -> /**, + # allow paths to be made slave, shared, private or unbindable + mount options=(rw,make-slave) -> **, + mount options=(rw,make-rslave) -> **, + mount options=(rw,make-shared) -> **, + mount options=(rw,make-rshared) -> **, + mount options=(rw,make-private) -> **, + mount options=(rw,make-rprivate) -> **, + mount options=(rw,make-unbindable) -> **, + mount options=(rw,make-runbindable) -> **, # allow bind-mounts of anything except /proc, /sys and /dev mount options=(rw,bind) /[^spd]*{,/**},
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel