Ubuntu
linux package

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1402834
Comment #12

Comment 12 for bug 1402834

Revision history for this message

Stéphane Graber (stgraber) wrote on 2014-12-19:

#12

So I came up with an alternate way around this which works for both privileged and unprivileged containers and doesn't require an updated apparmor. This uses seccomp to filter the umount2 call and return EACCES when passed MNT_FORCE as second argument.

Code is at: http://paste.ubuntu.com/9568741/

stgraber@castiana:~/Desktop$ gcc sec-mount.c -o sec-mount -lseccomp
stgraber@castiana:~/Desktop$ cp sec-mount /tmp/
stgraber@castiana:~/Desktop$ lxc-usernsexec -- /tmp/sec-mount
root@castiana:~/Desktop# mount --bind /home/stgraber/ /mnt
root@castiana:~/Desktop# umount /mnt
root@castiana:~/Desktop# mount --bind /home/stgraber/ /mnt
root@castiana:~/Desktop# umount -f /mnt
umount2: Permission denied
umount: /mnt: block devices not permitted on fs
root@castiana:~/Desktop# exit

Ubuntulinux package

Comment 12 for bug 1402834

Ubuntu
linux package