Proxmox/lxc
5
0
Fork 0
mirror of git://git.proxmox.com/git/lxc.git synced 2025-03-16 10:50:38 +03:00
Code Releases Activity

update apparmor profile

Browse Source 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2019-08-02 13:01:30 +02:00
parent 200de80309
commit 5b9827461e
5 changed files with 295 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
debian/patches/extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch vendored
View File

@ -9,7 +9,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 3d0e4a19..0d86d66e 100644
index 3d0e4a192..0d86d66e5 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2681,8 +2681,8 @@ int setup_sysctl_parameters(struct lxc_list *sysctls)
@ -35,5 +35,5 @@ index 3d0e4a19..0d86d66e 100644
}
}
--
2.11.0
2.20.1

4
debian/patches/extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch vendored
View File

@ -15,7 +15,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
1 file changed, 1 insertion(+)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 0d86d66e..7263d0e1 100644
index 0d86d66e5..7263d0e1a 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -690,6 +690,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
@ -27,5 +27,5 @@ index 0d86d66e..7263d0e1 100644
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL },
--
2.11.0
2.20.1

20
debian/patches/extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch vendored
View File

@ -67,15 +67,15 @@ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
configure.ac | 12 +++
src/lxc/Makefile.am | 4 +
src/lxc/file_utils.c | 41 +++++++++-
src/lxc/file_utils.c | 41 ++++++++-
src/lxc/file_utils.h | 1 +
src/lxc/rexec.c | 181 +++++++++++++++++++++++++++++++++++++++++++++
src/lxc/syscall_wrappers.h | 14 ++++
src/lxc/rexec.c | 181 +++++++++++++++++++++++++++++++++++++
src/lxc/syscall_wrappers.h | 14 +++
6 files changed, 252 insertions(+), 1 deletion(-)
create mode 100644 src/lxc/rexec.c
diff --git a/configure.ac b/configure.ac
index 9f3b8fb3..3177f7da 100644
index 9f3b8fb3c..3177f7da3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -727,6 +727,17 @@ AM_COND_IF([ENABLE_DLOG],
@ -105,7 +105,7 @@ index 9f3b8fb3..3177f7da 100644
PAM:
- PAM module: $enable_pam
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index 95b0a2f7..865d341f 100644
index 95b0a2f72..865d341fe 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -175,6 +175,10 @@ if !HAVE_STRLCAT
@ -120,7 +120,7 @@ index 95b0a2f7..865d341f 100644
-DLXCPATH=\"$(LXCPATH)\" \
-DLXC_GLOBAL_CONF=\"$(LXC_GLOBAL_CONF)\" \
diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c
index f89aa638..930fd738 100644
index f89aa638d..930fd738a 100644
--- a/src/lxc/file_utils.c
+++ b/src/lxc/file_utils.c
@@ -31,7 +31,7 @@
@ -176,7 +176,7 @@ index f89aa638..930fd738 100644
+ return NULL;
+}
diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h
index 6361557a..518a61af 100644
index 6361557a0..518a61af3 100644
--- a/src/lxc/file_utils.h
+++ b/src/lxc/file_utils.h
@@ -55,5 +55,6 @@ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
@ -188,7 +188,7 @@ index 6361557a..518a61af 100644
#endif /* __LXC_FILE_UTILS_H */
diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c
new file mode 100644
index 00000000..396bd617
index 000000000..396bd617f
--- /dev/null
+++ b/src/lxc/rexec.c
@@ -0,0 +1,181 @@
@ -374,7 +374,7 @@ index 00000000..396bd617
+ }
+}
diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h
index 42d94db2..dca4d157 100644
index 42d94db28..dca4d1571 100644
--- a/src/lxc/syscall_wrappers.h
+++ b/src/lxc/syscall_wrappers.h
@@ -58,6 +58,20 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3,
@ -399,5 +399,5 @@ index 42d94db2..dca4d157 100644
static inline int memfd_create(const char *name, unsigned int flags) {
#ifndef __NR_memfd_create
--
2.11.0
2.20.1

280
debian/patches/extra/0004-update-apparmor-profile.patch vendored Normal file
View File

@ -0,0 +1,280 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 2 Aug 2019 12:57:42 +0200
Subject: [PATCH] update apparmor profile
based on changes to lxd
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/lsm/apparmor.c | 235 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 219 insertions(+), 16 deletions(-)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index e32b12531..6e7c2494d 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -149,6 +149,187 @@ static const char AA_PROFILE_BASE[] =
"# mount options=(rw,make-unbindable) -> **,\n"
"# mount options=(rw,make-runbindable) -> **,\n"
"\n"
+"# Allow limited modification of mount propagation\n"
+" mount options=(rw,make-slave) -> /,\n"
+" mount options=(rw,make-rslave) -> /,\n"
+" mount options=(rw,make-shared) -> /,\n"
+" mount options=(rw,make-rshared) -> /,\n"
+" mount options=(rw,make-private) -> /,\n"
+" mount options=(rw,make-rprivate) -> /,\n"
+" mount options=(rw,make-unbindable) -> /,\n"
+" mount options=(rw,make-runbindable) -> /,\n"
+"\n"
+" # allow various ro-bind-*re*-mounts\n"
+" mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n"
+" mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /dev?*{,/**},\n"
+" mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /proc?*{,/**},\n"
+" mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n"
+" mount options=(ro,remount,bind) -> /sys?*{,/**},\n"
+"\n"
+" mount options=(ro,remount,bind,nodev) -> /[^spd]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /d[^e]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /de[^v]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /dev/.[^l]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /dev/.l[^x]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /dev/.lx[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /dev/.lxc?*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /dev/[^.]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /dev?*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /p[^r]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /pr[^o]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /pro[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /proc?*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /s[^y]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /sy[^s]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev) -> /sys?*{,/**},\n"
+"\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /[^spd]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /d[^e]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /de[^v]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.[^l]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.l[^x]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.lx[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/.lxc?*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev/[^.]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /dev?*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /p[^r]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /pr[^o]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /pro[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /proc?*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /s[^y]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /sy[^s]*{,/**},\n"
+" mount options=(ro,remount,bind,nodev,nosuid) -> /sys?*{,/**},\n"
+"\n"
+" mount options=(ro,remount,bind,noexec) -> /[^spd]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /d[^e]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /de[^v]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /dev/.[^l]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /dev/.l[^x]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /dev/.lx[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /dev/.lxc?*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /dev/[^.]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /dev?*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /p[^r]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /pr[^o]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /pro[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /proc?*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /s[^y]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /sy[^s]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec) -> /sys?*{,/**},\n"
+"\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /[^spd]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /d[^e]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /de[^v]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.[^l]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.l[^x]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.lx[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /dev/.lxc?*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /dev/[^.]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /dev?*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /p[^r]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /pr[^o]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /pro[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /proc?*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /s[^y]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /sy[^s]*{,/**},\n"
+" mount options=(ro,remount,bind,noexec,nodev) -> /sys?*{,/**},\n"
+"\n"
+" mount options=(ro,remount,bind,nosuid) -> /[^spd]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /d[^e]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /de[^v]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /dev/.[^l]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /dev/.l[^x]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /dev/.lx[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /dev/.lxc?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /dev/[^.]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /dev?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /p[^r]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /pr[^o]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /pro[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /proc?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /s[^y]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /sy[^s]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid) -> /sys?*{,/**},\n"
+"\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /[^spd]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /d[^e]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /de[^v]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.[^l]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.l[^x]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.lx[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/.lxc?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev/[^.]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /dev?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /p[^r]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /pr[^o]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /pro[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /proc?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /s[^y]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /sy[^s]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,nodev) -> /sys?*{,/**},\n"
+"\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /[^spd]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /d[^e]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /de[^v]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.[^l]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.l[^x]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.lx[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/.lxc?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev/[^.]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /dev?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /p[^r]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /pr[^o]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /pro[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /proc?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /s[^y]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /sy[^s]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec) -> /sys?*{,/**},\n"
+"\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /[^spd]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /d[^e]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /de[^v]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.[^l]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.l[^x]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.lx[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/.lxc?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev/[^.]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /dev?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /p[^r]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /pr[^o]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /pro[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /proc?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /s[^y]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /sy[^s]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev) -> /sys?*{,/**},\n"
+"\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /[^spd]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /d[^e]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /de[^v]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.[^l]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.l[^x]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.lx[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/.lxc?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev/[^.]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /dev?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /p[^r]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /pr[^o]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /pro[^c]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /proc?*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /s[^y]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /sy[^s]*{,/**},\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime) -> /sys?*{,/**},\n"
+"\n"
" # allow bind-mounts of anything except /proc, /sys and /dev\n"
" mount options=(rw,bind) /[^spd]*{,/**},\n"
" mount options=(rw,bind) /d[^e]*{,/**},\n"
@@ -167,15 +348,18 @@ static const char AA_PROFILE_BASE[] =
" mount options=(rw,bind) /sy[^s]*{,/**},\n"
" mount options=(rw,bind) /sys?*{,/**},\n"
"\n"
-" # allow various ro-bind-*re*-mounts\n"
-" mount options=(ro,remount,bind),\n"
-" mount options=(ro,remount,bind,nosuid),\n"
-" mount options=(ro,remount,bind,noexec),\n"
-" mount options=(ro,remount,bind,nodev),\n"
-" mount options=(ro,remount,bind,nosuid,noexec),\n"
-" mount options=(ro,remount,bind,noexec,nodev),\n"
-" mount options=(ro,remount,bind,nodev,nosuid),\n"
-" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
+" # Allow rbind-mounts of anything except /, /dev, /proc and /sys\n"
+" mount options=(rw,rbind) /[^spd]*{,/**},\n"
+" mount options=(rw,rbind) /d[^e]*{,/**},\n"
+" mount options=(rw,rbind) /de[^v]*{,/**},\n"
+" mount options=(rw,rbind) /dev?*{,/**},\n"
+" mount options=(rw,rbind) /p[^r]*{,/**},\n"
+" mount options=(rw,rbind) /pr[^o]*{,/**},\n"
+" mount options=(rw,rbind) /pro[^c]*{,/**},\n"
+" mount options=(rw,rbind) /proc?*{,/**},\n"
+" mount options=(rw,rbind) /s[^y]*{,/**},\n"
+" mount options=(rw,rbind) /sy[^s]*{,/**},\n"
+" mount options=(rw,rbind) /sys?*{,/**},\n"
"\n"
" # allow moving mounts except for /proc, /sys and /dev\n"
" mount options=(rw,move) /[^spd]*{,/**},\n"
@@ -339,18 +523,37 @@ static const char AA_PROFILE_NESTING_BASE[] =
" deny /dev/.lxc/proc/** rw,\n"
" deny /dev/.lxc/sys/** rw,\n"
"\n"
+" # Allow modifying mount propagation\n"
+" mount options=(rw,make-slave) -> **,\n"
+" mount options=(rw,make-rslave) -> **,\n"
+" mount options=(rw,make-shared) -> **,\n"
+" mount options=(rw,make-rshared) -> **,\n"
+" mount options=(rw,make-private) -> **,\n"
+" mount options=(rw,make-rprivate) -> **,\n"
+" mount options=(rw,make-unbindable) -> **,\n"
+" mount options=(rw,make-runbindable) -> **,\n"
+"\n"
" mount fstype=proc -> /usr/lib/*/lxc/**,\n"
" mount fstype=sysfs -> /usr/lib/*/lxc/**,\n"
" mount options=(rw,bind),\n"
" mount options=(rw,rbind),\n"
-" mount options=(rw,make-rshared),\n"
"\n"
- /* FIXME: What's the state here on apparmor's side? */
-" # there doesn't seem to be a way to ask for:\n"
-" # mount options=(ro,nosuid,nodev,noexec,remount,bind),\n"
-" # as we always get mount to $cdir/proc/sys with those flags denied\n"
-" # So allow all mounts until that is straightened out:\n"
-" mount,\n"
+" # Allow common combinations of bind/remount\n"
+" # NOTE: AppArmor bug effectively turns those into wildcards mount allow\n"
+" mount options=(ro,remount,bind),\n"
+" mount options=(ro,remount,bind,nodev),\n"
+" mount options=(ro,remount,bind,nodev,nosuid),\n"
+" mount options=(ro,remount,bind,noexec),\n"
+" mount options=(ro,remount,bind,noexec,nodev),\n"
+" mount options=(ro,remount,bind,nosuid),\n"
+" mount options=(ro,remount,bind,nosuid,nodev),\n"
+" mount options=(ro,remount,bind,nosuid,noexec),\n"
+" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
+" mount options=(ro,remount,bind,nosuid,noexec,strictatime),\n"
+"\n"
+" # Allow remounting things read-only\n"
+" mount options=(ro,remount) /,\n"
+" mount options=(ro,remount) /**,\n"
;
static const char AA_PROFILE_UNPRIVILEGED[] =
--
2.20.1

1
debian/patches/series vendored
View File

@ -10,3 +10,4 @@ pve/0009-init-add-ExecReload-to-lxc.service-to-only-reload-pr.patch
extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch
extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch
extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch
extra/0004-update-apparmor-profile.patch