apparmor: Update mount states handling

Properly list all of the states and the right apparmor stanza for them, then comment them all as actually enabling this would currently let the user bypass apparmor entirely. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2025-08-31 15:09:28 +00:00 · 2016-06-27 15:15:15 -04:00
parent af5f70c4b5
commit 7f2b13275d
2 changed files with 19 additions and 24 deletions
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,18 +93,15 @@
  # deny reads from debugfs
  deny /sys/kernel/debug/{,**} rwklx,

-  # allow paths to be made shared, rshared, private or rprivate
-  mount options=(rw,shared) -> /,
-  mount options=(rw,shared) -> /**,
-
-  mount options=(rw,rshared) -> /,
-  mount options=(rw,rshared) -> /**,
-
-  mount options=(rw,private) -> /,
-  mount options=(rw,private) -> /**,
-
-  mount options=(rw,rprivate) -> /,
-  mount options=(rw,rprivate) -> /**,
+  # allow paths to be made slave, shared, private or unbindable
+  mount options=(rw,make-slave) -> **,
+  mount options=(rw,make-rslave) -> **,
+  mount options=(rw,make-shared) -> **,
+  mount options=(rw,make-rshared) -> **,
+  mount options=(rw,make-private) -> **,
+  mount options=(rw,make-rprivate) -> **,
+  mount options=(rw,make-unbindable) -> **,
+  mount options=(rw,make-runbindable) -> **,

  # allow bind-mounts of anything except /proc, /sys and /dev
  mount options=(rw,bind) /[^spd]*{,/**},
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -93,18 +93,16 @@
  # deny reads from debugfs
  deny /sys/kernel/debug/{,**} rwklx,

-  # allow paths to be made shared, rshared, private or rprivate
-  mount options=(rw,shared) -> /,
-  mount options=(rw,shared) -> /**,
-
-  mount options=(rw,rshared) -> /,
-  mount options=(rw,rshared) -> /**,
-
-  mount options=(rw,private) -> /,
-  mount options=(rw,private) -> /**,
-
-  mount options=(rw,rprivate) -> /,
-  mount options=(rw,rprivate) -> /**,
+  # allow paths to be made slave, shared, private or unbindable
+  # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
+#  mount options=(rw,make-slave) -> **,
+#  mount options=(rw,make-rslave) -> **,
+#  mount options=(rw,make-shared) -> **,
+#  mount options=(rw,make-rshared) -> **,
+#  mount options=(rw,make-private) -> **,
+#  mount options=(rw,make-rprivate) -> **,
+#  mount options=(rw,make-unbindable) -> **,
+#  mount options=(rw,make-runbindable) -> **,

  # allow bind-mounts of anything except /proc, /sys and /dev
  mount options=(rw,bind) /[^spd]*{,/**},