AppArmor

deny mount does not work correctly

Bug #959560 reported by John Johansen
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
In Progress
High
Unassigned

Bug Description

Given the following profile,

  profile lxc_container flags=(attach_disconnected) {
   umount,

   # ignore DENIED message on / remount
   # FIXME: doesn't match yet
   deny mount options=(ro, remount) -> /,

   # allow tmpfs mounts everywhere
   mount fstype=tmpfs,

   # allow bind mount of /lib/init/fstab for lxcguest
   mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,

   # deny writes in /proc/sys/fs but allow fusectl to be mounted
   mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,

   # deny writes in /sys except for /sys/fs/cgroup, also allow
   # fusectl, securityfs and debugfs to be mounted there (read-only)
   mount fstype=fusectl -> /sys/fs/fuse/connections/,
   mount fstype=securityfs -> /sys/kernel/security/,
   mount fstype=debugfs -> /sys/kernel/debug/,
  }

the rule

 deny mount options=(ro, remount) -> /,

 does not work correctly

Tags: aa-parser
Jamie Strandboge (jdstrand)
Changed in apparmor:
importance: Undecided → High
status: New → In Progress
assignee: nobody → John Johansen (jjohansen)
Jamie Strandboge (jdstrand)
Changed in apparmor:
assignee: John Johansen (jjohansen) → nobody
tags: added: aa-parser
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.