AppArmor always denies pivot_root when mediation rules contain put_old or new_root
Bug #1305244 reported by
Tyler Hicks
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Invalid
|
Medium
|
John Johansen |
Bug Description
After stgraber reported unexpected AppArmor denials when lxc was trying to pivot_root(), I wrote some tests for AppArmor's regression test suite.
The pivot_root syntax looks like this:
[audit] [deny] pivot_root [oldroot=put_old] [new_root] [-> new_profile],
If [oldroot=put_old] or [new_root] are specified, AppArmor always denies the pivot_root(). I've verified this to be the case in Trusty and 12.04 LTS.
To post a comment you must log in.
Here's the patch to the AppArmor regression tests that add fairly comprehensive tests for pivot_root mediation. What is missing from the patch is testing audit and deny modifiers on pivot_root rules. I'll add those before I upstream the patch.