deny mount does not work correctly

Bug #959560 reported by John Johansen
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

Given the following profile,

  profile lxc_container flags=(attach_disconnected) {

   # ignore DENIED message on / remount
   # FIXME: doesn't match yet
   deny mount options=(ro, remount) -> /,

   # allow tmpfs mounts everywhere
   mount fstype=tmpfs,

   # allow bind mount of /lib/init/fstab for lxcguest
   mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,

   # deny writes in /proc/sys/fs but allow fusectl to be mounted
   mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,

   # deny writes in /sys except for /sys/fs/cgroup, also allow
   # fusectl, securityfs and debugfs to be mounted there (read-only)
   mount fstype=fusectl -> /sys/fs/fuse/connections/,
   mount fstype=securityfs -> /sys/kernel/security/,
   mount fstype=debugfs -> /sys/kernel/debug/,

the rule

 deny mount options=(ro, remount) -> /,

 does not work correctly

Changed in apparmor:
importance: Undecided → High
status: New → In Progress
assignee: nobody → John Johansen (jjohansen)
Changed in apparmor:
assignee: John Johansen (jjohansen) → nobody
tags: added: aa-parser
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers