Группа :: Система/Настройка/Прочее
Пакет: pve-lxc
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: 0008-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
Скачать
Скачать
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100
Subject: [PATCH lxc] PVE: [Config] deny rw mounting of /sys and /proc
Note that we don't actually make use of this anymore, since
we switched to the generated profiles which already do this.
this would allow root in a privileged container to change
the permissions of /sys on the host, which could lock out
non-root users.
if a rw /sys is desired, set "lxc.mount.auto" accordingly
---
config/apparmor/abstractions/container-base | 6 +++++-
config/apparmor/abstractions/container-base.in | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 077476559..fbd70fdf5 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -82,7 +82,6 @@
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
@@ -91,6 +90,11 @@
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
+ # prevent rw mounting of /sys, because that allows changing its global permissions
+ deny mount -> /proc/,
+ deny mount -> /sys/,
+# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+
# allow paths to be made slave, shared, private or unbindable
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
# mount options=(rw,make-slave) -> **,
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 2606fb64c..3e61c62ea 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -83,7 +83,6 @@
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
@@ -91,6 +90,11 @@
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
+ # prevent rw mounting of /sys, because that allows changing its global permissions
+ deny mount -> /proc/,
+ deny mount -> /sys/,
+# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+
# allow paths to be made slave, shared, private or unbindable
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
# mount options=(rw,make-slave) -> **,