revert apparmor changes depending on newer apparmor

this particular patch requires apparmor userspace version 3.0.11 or above and we're currently at 3.0.8 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2025-03-16 10:50:38 +03:00 · 2024-04-05 13:15:50 +02:00 · 2024-04-05 13:15:50 +02:00 · 62f2efc197
commit 62f2efc197
parent ab6c7914e6
2 changed files with 113 additions and 0 deletions
--- a/debian/patches/0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch
+++ b/debian/patches/0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch
@ -0,0 +1,112 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 5 Apr 2024 13:05:33 +0200
+Subject: [PATCH] Revert "lsm: apparmor: allow to change mount propagation"
+
+This reverts commit 890de075941a8d6e8d0294480e82c72e6de51fc1.
+
+Debian/pve-8 is still at apparmor 3.0.8 and this would require at
+least 3.0.11.
+---
+ config/apparmor/abstractions/container-base   | 17 ++++++------
+ .../apparmor/abstractions/container-base.in   | 17 ++++++------
+ src/lxc/lsm/apparmor.c                        | 27 +++++++++++++------
+ 3 files changed, 37 insertions(+), 24 deletions(-)
+
+diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
+index 69bf6c3b5..077476559 100644
+--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
+@@ -92,14 +92,15 @@
+   deny /sys/kernel/debug/{,**} rwklx,
+ 
+   # allow paths to be made slave, shared, private or unbindable
+-  mount options=(rw,make-slave) -> **,
+-  mount options=(rw,make-rslave) -> **,
+-  mount options=(rw,make-shared) -> **,
+-  mount options=(rw,make-rshared) -> **,
+-  mount options=(rw,make-private) -> **,
+-  mount options=(rw,make-rprivate) -> **,
+-  mount options=(rw,make-unbindable) -> **,
+-  mount options=(rw,make-runbindable) -> **,
+  # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
+#  mount options=(rw,make-slave) -> **,
+#  mount options=(rw,make-rslave) -> **,
+#  mount options=(rw,make-shared) -> **,
+#  mount options=(rw,make-rshared) -> **,
+#  mount options=(rw,make-private) -> **,
+#  mount options=(rw,make-rprivate) -> **,
+#  mount options=(rw,make-unbindable) -> **,
+#  mount options=(rw,make-runbindable) -> **,
+ 
+   # allow bind-mounts of anything except /proc, /sys and /dev
+   mount options=(rw,bind) /[^spd]*{,/**},
+diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
+index 2ca4e2f7b..2606fb64c 100644
+--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
+@@ -92,14 +92,15 @@
+   deny /sys/kernel/debug/{,**} rwklx,
+ 
+   # allow paths to be made slave, shared, private or unbindable
+-  mount options=(rw,make-slave) -> **,
+-  mount options=(rw,make-rslave) -> **,
+-  mount options=(rw,make-shared) -> **,
+-  mount options=(rw,make-rshared) -> **,
+-  mount options=(rw,make-private) -> **,
+-  mount options=(rw,make-rprivate) -> **,
+-  mount options=(rw,make-unbindable) -> **,
+-  mount options=(rw,make-runbindable) -> **,
+  # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
+#  mount options=(rw,make-slave) -> **,
+#  mount options=(rw,make-rslave) -> **,
+#  mount options=(rw,make-shared) -> **,
+#  mount options=(rw,make-rshared) -> **,
+#  mount options=(rw,make-private) -> **,
+#  mount options=(rw,make-rprivate) -> **,
+#  mount options=(rw,make-unbindable) -> **,
+#  mount options=(rw,make-runbindable) -> **,
+ 
+   # allow bind-mounts of anything except /proc, /sys and /dev
+   mount options=(rw,bind) /[^spd]*{,/**},
+diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
+index 1d98e2941..6f0b10dfe 100644
+--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
+@@ -113,14 +113,25 @@ static const char AA_PROFILE_BASE[] =
+ "  deny /sys/kernel/debug/{,**} rwklx,\n"
+ "\n"
+ "  # allow paths to be made dependent, shared, private or unbindable\n"
+-"  mount options=(rw,make-slave) -> **,\n"
+-"  mount options=(rw,make-rslave) -> **,\n"
+-"  mount options=(rw,make-shared) -> **,\n"
+-"  mount options=(rw,make-rshared) -> **,\n"
+-"  mount options=(rw,make-private) -> **,\n"
+-"  mount options=(rw,make-rprivate) -> **,\n"
+-"  mount options=(rw,make-unbindable) -> **,\n"
+-"  mount options=(rw,make-runbindable) -> **,\n"
+"  # TODO: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.\n"
+"#  mount options=(rw,make-slave) -> **,\n"
+"#  mount options=(rw,make-rslave) -> **,\n"
+"#  mount options=(rw,make-shared) -> **,\n"
+"#  mount options=(rw,make-rshared) -> **,\n"
+"#  mount options=(rw,make-private) -> **,\n"
+"#  mount options=(rw,make-rprivate) -> **,\n"
+"#  mount options=(rw,make-unbindable) -> **,\n"
+"#  mount options=(rw,make-runbindable) -> **,\n"
+"\n"
+"# Allow limited modification of mount propagation\n"
+"  mount options=(rw,make-slave) -> /,\n"
+"  mount options=(rw,make-rslave) -> /,\n"
+"  mount options=(rw,make-shared) -> /,\n"
+"  mount options=(rw,make-rshared) -> /,\n"
+"  mount options=(rw,make-private) -> /,\n"
+"  mount options=(rw,make-rprivate) -> /,\n"
+"  mount options=(rw,make-unbindable) -> /,\n"
+"  mount options=(rw,make-runbindable) -> /,\n"
+ "\n"
+ "  # allow bind-mounts of anything except /proc, /sys and /dev\n"
+ "  mount options=(rw,bind) /[^spd]*{,/**},\n"
+-- 
+2.39.2
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -1,2 +1,3 @@
+0001-Revert-lsm-apparmor-allow-to-change-mount-propagatio.patch
 pve/0001-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
 pve/0002-PVE-Config-attach-always-use-getent.patch