From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Cc: Paul Holzinger <pholzing@redhat.com>,
David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH 2/5] apparmor: Explicitly pass options we use while remounting root filesystem
Date: Thu, 7 Sep 2023 00:35:12 +0200 [thread overview]
Message-ID: <20230906223515.2533706-3-sbrivio@redhat.com> (raw)
In-Reply-To: <20230906223515.2533706-1-sbrivio@redhat.com>
As a result of AppArmor commit d4b0fef10a4a ("parser: fix rule flag
generation change_mount type rules"), we can't expect anymore to
get permission to mount() / read-write, with MS_REC | MS_UNBINDABLE
("runbindable", in AppArmor terms), if we don't explicitly pass those
flags as options. It used to work by mistake.
Now, the reasonable expectation would be that we could just change the
existing rule into:
mount options=(rw, runbindable) "" -> /,
...but this now fails to load too, I think as a result of AppArmor
commit 9d3f8c6cc05d ("parser: fix parsing of source as mount point
for propagation type flags"). It works with 'rw' alone, but
'runbindable' is indeed a propagation type flag.
Skip the source specification, it doesn't add anything meaningful to
the rule anyway.
Reported-by: Paul Holzinger <pholzing@redhat.com>
Link: https://github.com/containers/podman/pull/19751
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/apparmor/abstractions/passt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
index a16eb6e..d778222 100644
--- a/contrib/apparmor/abstractions/passt
+++ b/contrib/apparmor/abstractions/passt
@@ -26,7 +26,7 @@
capability sys_ptrace,
/ r, # isolate_prefork(), isolation.c
- mount "" -> "/",
+ mount options=(rw, runbindable) /,
mount "" -> "/tmp/",
pivot_root "/tmp/" -> "/tmp/",
umount "/",
--
@@ -26,7 +26,7 @@
capability sys_ptrace,
/ r, # isolate_prefork(), isolation.c
- mount "" -> "/",
+ mount options=(rw, runbindable) /,
mount "" -> "/tmp/",
pivot_root "/tmp/" -> "/tmp/",
umount "/",
--
2.39.2
next prev parent reply other threads:[~2023-09-06 22:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-06 22:35 [PATCH 0/5] Fixes to AppArmor policy, passt/pasta profile split Stefano Brivio
2023-09-06 22:35 ` [PATCH 1/5] apparmor: Use abstractions/nameservice to deal with symlinked resolv.conf Stefano Brivio
2023-09-06 22:35 ` Stefano Brivio [this message]
2023-09-06 22:35 ` [PATCH 3/5] apparmor: Allow read-only access to uid_map Stefano Brivio
2023-09-06 22:35 ` [PATCH 4/5] apparmor: Allow pasta to remount /proc, access entries under its own copy Stefano Brivio
2023-09-06 22:35 ` [PATCH 5/5] apparmor: Add pasta's own profile Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230906223515.2533706-3-sbrivio@redhat.com \
--to=sbrivio@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=pholzing@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).