From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100
Subject: [PATCH lxc] PVE: [Config] deny rw mounting of /sys and /proc

Note that we don't actually make use of this anymore, since
we switched to the generated profiles which already do this.

this would allow root in a privileged container to change
the permissions of /sys on the host, which could lock out
non-root users.

if a rw /sys is desired, set "lxc.mount.auto" accordingly
---
 config/apparmor/abstractions/container-base    | 6 +++++-
 config/apparmor/abstractions/container-base.in | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 077476559..fbd70fdf5 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -82,7 +82,6 @@
   deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
   mount fstype=proc -> /proc/,
   mount fstype=sysfs -> /sys/,
-  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
@@ -91,6 +90,11 @@
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
 
+  # prevent rw mounting of /sys, because that allows changing its global permissions
+  deny mount -> /proc/,
+  deny mount -> /sys/,
+#  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+
   # allow paths to be made slave, shared, private or unbindable
   # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
 #  mount options=(rw,make-slave) -> **,
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 2606fb64c..3e61c62ea 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -83,7 +83,6 @@
   deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
   mount fstype=proc -> /proc/,
   mount fstype=sysfs -> /sys/,
-  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
@@ -91,6 +90,11 @@
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
 
+  # prevent rw mounting of /sys, because that allows changing its global permissions
+  deny mount -> /proc/,
+  deny mount -> /sys/,
+#  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+
   # allow paths to be made slave, shared, private or unbindable
   # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
 #  mount options=(rw,make-slave) -> **,