[apparmor] Deny mount globally

[John Johansen]

On 8/29/19 11:42 PM, Kobus Goosen wrote:
> Hi, 
> I just wanted to ask if there is an elegant way to block mounting/unmounting in general. 

arm no its a pita to do. It requires setting up global policy, that is loaded from the initrd and atm this has to be hand rolled.

There is work in progress to fix this so that both early and global policy are easier but I am unsure when that work will land. Probabably in 3.1 or 3.2

> I have an industrial device that has a read-only rootfs, so there's limited system damage that a user could make. However I'd like to disable mounting so it's never possible to remount the rootfs in read/write more. 
> My initial idea involved creating a profile for SSHD, and adding "  deny mount," to it. This initially worked (after I changed bash from Ux to ix), but causes a host of other issues. 
> 

not unexpected, its really easy to break things with confinement. Instead of Ux or ix you might want to try a special profile

use a name profile transition

  px -> global,

and then a global profile something like

profile global {
  # things to deny
  deny mount,

  # things to allow
  /** rwlkm,
  network,
  # ... other rules that should be allowed

  # profile transitions
  /** pix,
  # eg. of how to selectively break out of confinement
  /usr/bin/sudo Ux,

}


The pix will use a profile if available other wise fall back to the global profile. This would prevent children of ssh mounting, unless you define a profile allowing them to.
You could even selectively allow transitioning to unconfined to allow for admin from ssh to not be broken.


> 
> /Kobus Goosen /
> /071 608 4149/
> /kobuslgoosen at gmail.com <mailto:kobuslgoosen at gmail.com>/
> 
> 

nd