[apparmor] [Bug 959560] Re: deny mount does not work correctly

Jamie Strandboge jamie at ubuntu.com
Thu Apr 12 01:38:28 UTC 2012

** Changed in: apparmor
   Importance: Undecided => High

** Changed in: apparmor
       Status: New => In Progress

** Changed in: apparmor
     Assignee: (unassigned) => John Johansen (jjohansen)

You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.

  deny mount does not work correctly

Status in AppArmor Linux application security framework:
  In Progress

Bug description:
  Given the following profile,

    profile lxc_container flags=(attach_disconnected) {

  	  # ignore DENIED message on / remount
  	  # FIXME: doesn't match yet
  	  deny mount options=(ro, remount) -> /,

  	  # allow tmpfs mounts everywhere
  	  mount fstype=tmpfs,

  	  # allow bind mount of /lib/init/fstab for lxcguest
  	  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,

  	  # deny writes in /proc/sys/fs but allow fusectl to be mounted
  	  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,

  	  # deny writes in /sys except for /sys/fs/cgroup, also allow
  	  # fusectl, securityfs and debugfs to be mounted there (read-only)
  	  mount fstype=fusectl -> /sys/fs/fuse/connections/,
  	  mount fstype=securityfs -> /sys/kernel/security/,
  	  mount fstype=debugfs -> /sys/kernel/debug/,

  the rule
   deny mount options=(ro, remount) -> /,

   does not work correctly

To manage notifications about this bug go to:

More information about the AppArmor mailing list