deny mount does not work correctly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
In Progress
|
High
|
Unassigned |
Bug Description
Given the following profile,
profile lxc_container flags=(
umount,
# ignore DENIED message on / remount
# FIXME: doesn't match yet
deny mount options=(ro, remount) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/
# deny writes in /proc/sys/fs but allow fusectl to be mounted
mount fstype=binfmt_misc -> /proc/sys/
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/
mount fstype=securityfs -> /sys/kernel/
mount fstype=debugfs -> /sys/kernel/debug/,
}
the rule
deny mount options=(ro, remount) -> /,
does not work correctly
Changed in apparmor: | |
importance: | Undecided → High |
status: | New → In Progress |
assignee: | nobody → John Johansen (jjohansen) |
Changed in apparmor: | |
assignee: | John Johansen (jjohansen) → nobody |
tags: | added: aa-parser |