From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
Date: Wed, 22 Jul 2020 13:05:05 +0200 [thread overview]
Message-ID: <20200722110505.8210-3-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20200722110505.8210-1-s.ivanov@proxmox.com>
commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
fixes the apparmor deny for mounting boot_id (used for example for identifying
different boots with `journalctl`) inside the container.
Tested by editing the profile and replacing it disregarding the cache:
`apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 27 insertions(+)
create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
new file mode 100644
index 0000000..fefc586
--- /dev/null
+++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
@@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stoiko Ivanov <s.ivanov@proxmox.com>
+Date: Wed, 22 Jul 2020 12:17:24 +0200
+Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
+
+The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
+necessary mount calls for /proc/sys/kernel/random/boot_id
+(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
+
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+---
+ config/apparmor/abstractions/start-container.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
+index 9998f1121..9f64c2727 100644
+--- a/config/apparmor/abstractions/start-container.in
++++ b/config/apparmor/abstractions/start-container.in
+@@ -22,6 +22,7 @@
+ mount -> /var/lib/lxc/{**,},
+
+ mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
+
+ # required for some pre-mount hooks
+ mount fstype=overlayfs,
diff --git a/debian/patches/series b/debian/patches/series
index ee20ef5..f588081 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0003-PVE-Config-attach-always-use-getent.patch
+pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
--
2.20.1
next prev parent reply other threads:[~2020-07-22 11:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-22 11:05 [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Stoiko Ivanov
2020-07-22 11:05 ` [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups Stoiko Ivanov
2020-07-22 11:05 ` Stoiko Ivanov [this message]
2020-07-22 11:51 ` [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id Thomas Lamprecht
2020-07-22 11:59 ` Stoiko Ivanov
2020-07-22 12:09 ` Thomas Lamprecht
2020-07-22 12:15 ` Stoiko Ivanov
2020-09-09 19:06 ` [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200722110505.8210-3-s.ivanov@proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.