[apparmor] [Bug 959560] [NEW] deny mount does not work correctly

John Johansen john.johansen at canonical.com
Mon Mar 19 18:11:07 UTC 2012 

Public bug reported:

Given the following profile,


  profile lxc_container flags=(attach_disconnected) {
	  umount,

	  # ignore DENIED message on / remount
	  # FIXME: doesn't match yet
	  deny mount options=(ro, remount) -> /,

	  # allow tmpfs mounts everywhere
	  mount fstype=tmpfs,

	  # allow bind mount of /lib/init/fstab for lxcguest
	  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,

	  # deny writes in /proc/sys/fs but allow fusectl to be mounted
	  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,

	  # deny writes in /sys except for /sys/fs/cgroup, also allow
	  # fusectl, securityfs and debugfs to be mounted there (read-only)
	  mount fstype=fusectl -> /sys/fs/fuse/connections/,
	  mount fstype=securityfs -> /sys/kernel/security/,
	  mount fstype=debugfs -> /sys/kernel/debug/,
  }


the rule
 
 deny mount options=(ro, remount) -> /,

 does not work correctly

** Affects: apparmor
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/959560

Title:
  deny mount does not work correctly

Status in AppArmor Linux application security framework:
  New

Bug description:
  Given the following profile,

  
    profile lxc_container flags=(attach_disconnected) {
  	  umount,

  	  # ignore DENIED message on / remount
  	  # FIXME: doesn't match yet
  	  deny mount options=(ro, remount) -> /,

  	  # allow tmpfs mounts everywhere
  	  mount fstype=tmpfs,

  	  # allow bind mount of /lib/init/fstab for lxcguest
  	  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,

  	  # deny writes in /proc/sys/fs but allow fusectl to be mounted
  	  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,

  	  # deny writes in /sys except for /sys/fs/cgroup, also allow
  	  # fusectl, securityfs and debugfs to be mounted there (read-only)
  	  mount fstype=fusectl -> /sys/fs/fuse/connections/,
  	  mount fstype=securityfs -> /sys/kernel/security/,
  	  mount fstype=debugfs -> /sys/kernel/debug/,
    }

  
  the rule
   
   deny mount options=(ro, remount) -> /,

   does not work correctly

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/959560/+subscriptions

More information about the AppArmor mailing list