apparmor: allow various remount,bind options

RW bind mounts need to be restricted for some paths in
order to avoid MAC restriction bypasses, but read-only bind
mounts shouldn't have that problem.

Additionally, combinations of 'nosuid', 'nodev' and
'noexec' flags shouldn't be a problem either and are
required with newer systemd versions, so let's allow those
as long as they're combined with 'ro,remount,bind'.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

config/apparmor/abstractions/container-base

@@ -120,6 +120,16 @@
   mount options=(rw,bind) /sy[^s]*{,/**},
   mount options=(rw,bind) /sys?*{,/**},
 
+  # allow various ro-bind-*re*-mounts
+  mount options=(ro,remount,bind),
+  mount options=(ro,remount,bind,nosuid),
+  mount options=(ro,remount,bind,noexec),
+  mount options=(ro,remount,bind,nodev),
+  mount options=(ro,remount,bind,nosuid,noexec),
+  mount options=(ro,remount,bind,noexec,nodev),
+  mount options=(ro,remount,bind,nodev,nosuid),
+  mount options=(ro,remount,bind,nosuid,noexec,nodev),
+
   # allow moving mounts except for /proc, /sys and /dev
   mount options=(rw,move) /[^spd]*{,/**},
   mount options=(rw,move) /d[^e]*{,/**},

config/apparmor/abstractions/container-base.in

@@ -119,6 +119,16 @@
   mount options=(rw,bind) /sy[^s]*{,/**},
   mount options=(rw,bind) /sys?*{,/**},
 
+  # allow various ro-bind-*re*-mounts
+  mount options=(ro,remount,bind),
+  mount options=(ro,remount,bind,nosuid),
+  mount options=(ro,remount,bind,noexec),
+  mount options=(ro,remount,bind,nodev),
+  mount options=(ro,remount,bind,nosuid,noexec),
+  mount options=(ro,remount,bind,noexec,nodev),
+  mount options=(ro,remount,bind,nodev,nosuid),
+  mount options=(ro,remount,bind,nosuid,noexec,nodev),
+
   # allow moving mounts except for /proc, /sys and /dev
   mount options=(rw,move) /[^spd]*{,/**},
   mount options=(rw,move) /d[^e]*{,/**},
@@ -136,4 +146,3 @@
   mount options=(rw,move) /s[^y]*{,/**},
   mount options=(rw,move) /sy[^s]*{,/**},
   mount options=(rw,move) /sys?*{,/**},
-

src/lxc/lsm/apparmor.c

@@ -167,23 +167,15 @@ static const char AA_PROFILE_BASE[] =
 "  mount options=(rw,bind) /sy[^s]*{,/**},\n"
 "  mount options=(rw,bind) /sys?*{,/**},\n"
 "\n"
-"  # allow read-only bind-mounts of anything except /proc, /sys and /dev\n"
-"  mount options=(ro,remount,bind) -> /[^spd]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /d[^e]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /de[^v]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.[^l]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.l[^x]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.lx[^c]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/.lxc?*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev/[^.]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /dev?*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /p[^r]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /pr[^o]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /pro[^c]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /proc?*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /s[^y]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /sy[^s]*{,/**},\n"
-"  mount options=(ro,remount,bind) -> /sys?*{,/**},\n"
+"  # allow various ro-bind-*re*-mounts\n"
+"  mount options=(ro,remount,bind),\n"
+"  mount options=(ro,remount,bind,nosuid),\n"
+"  mount options=(ro,remount,bind,noexec),\n"
+"  mount options=(ro,remount,bind,nodev),\n"
+"  mount options=(ro,remount,bind,nosuid,noexec),\n"
+"  mount options=(ro,remount,bind,noexec,nodev),\n"
+"  mount options=(ro,remount,bind,nodev,nosuid),\n"
+"  mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
 "\n"
 "  # allow moving mounts except for /proc, /sys and /dev\n"
 "  mount options=(rw,move) /[^spd]*{,/**},\n"