[apparmor] [Bug 959560] Re: deny mount does not work correctly
Jamie Strandboge
jamie at ubuntu.com
Thu Apr 12 01:38:28 UTC 2012
** Changed in: apparmor
Importance: Undecided => High
** Changed in: apparmor
Status: New => In Progress
** Changed in: apparmor
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/959560
Title:
deny mount does not work correctly
Status in AppArmor Linux application security framework:
In Progress
Bug description:
Given the following profile,
profile lxc_container flags=(attach_disconnected) {
umount,
# ignore DENIED message on / remount
# FIXME: doesn't match yet
deny mount options=(ro, remount) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
# deny writes in /proc/sys/fs but allow fusectl to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
}
the rule
deny mount options=(ro, remount) -> /,
does not work correctly
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/959560/+subscriptions
More information about the AppArmor
mailing list