So I came up with an alternate way around this which works for both privileged and unprivileged containers and doesn't require an updated apparmor. This uses seccomp to filter the umount2 call and return EACCES when passed MNT_FORCE as second argument.
So I came up with an alternate way around this which works for both privileged and unprivileged containers and doesn't require an updated apparmor. This uses seccomp to filter the umount2 call and return EACCES when passed MNT_FORCE as second argument.
Code is at: http:// paste.ubuntu. com/9568741/
stgraber@ castiana: ~/Desktop$ gcc sec-mount.c -o sec-mount -lseccomp castiana: ~/Desktop$ cp sec-mount /tmp/ castiana: ~/Desktop$ lxc-usernsexec -- /tmp/sec-mount ~/Desktop# mount --bind /home/stgraber/ /mnt ~/Desktop# umount /mnt ~/Desktop# mount --bind /home/stgraber/ /mnt ~/Desktop# umount -f /mnt ~/Desktop# exit
stgraber@
stgraber@
root@castiana:
root@castiana:
root@castiana:
root@castiana:
umount2: Permission denied
umount: /mnt: block devices not permitted on fs
root@castiana: