From: Filip Schauer <f.schauer@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH container] fix #5160: fix move_mount regression for mount point hotplug
Date: Mon, 25 Mar 2024 18:31:17 +0100 [thread overview]
Message-ID: <8a3c6f9b-5088-4169-b364-2b54a869d34d@proxmox.com> (raw)
In-Reply-To: <20240108135456.74684-1-f.schauer@proxmox.com>
Patch v2 is available:
https://lists.proxmox.com/pipermail/pve-devel/2024-March/062390.html
On 08/01/2024 14:54, Filip Schauer wrote:
> Set up an Apparmor profile to allow moving mounts for mount point
> hotplug.
>
> This fixes a regression caused by
> kernel commit 157a3537d6 ("apparmor: Fix regression in mount mediation")
>
> The commit introduced move_mount mediation, which now requires
> move_mount to be allowed in the Apparmor profile. Although it is allowed
> for most paths in the /usr/bin/lxc-start profile, move_mount is called
> with a file descriptor instead of a path in mountpoint_insert_staged,
> thus it is not affected by the allow rules in
> /etc/apparmor.d/abstractions/lxc/container-base.
>
> To fix this, introduce a new Apparmor profile to allow move_mount on
> every mount, specifically for mount point hotplug.
>
> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
> ---
> debian/rules | 3 +++
> src/Makefile | 3 +++
> src/PVE/LXC.pm | 2 +-
> src/pve-container-debug@.service | 1 +
> src/pve-container-mounthotplug | 7 +++++++
> src/pve-container@.service | 1 +
> 6 files changed, 16 insertions(+), 1 deletion(-)
> create mode 100644 src/pve-container-mounthotplug
>
> diff --git a/debian/rules b/debian/rules
> index d999152..f7edccf 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -14,3 +14,6 @@
>
> override_dh_installsystemd:
> dh_installsystemd -ppve-container --no-start --no-enable --no-restart-after-upgrade -r 'system-pve\x2dcontainer.slice'
> +
> +override_dh_install:
> + dh_apparmor -p pve-container --profile-name=pve-container-mounthotplug
> diff --git a/src/Makefile b/src/Makefile
> index 5a7a82e..dca666a 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -4,6 +4,7 @@ PREFIX=${DESTDIR}/usr
> BINDIR=${PREFIX}/bin
> LIBDIR=${PREFIX}/lib
> SBINDIR=${PREFIX}/sbin
> +ETCDIR=${DESTDIR}/etc
> MANDIR=${PREFIX}/share/man
> DOCDIR=${PREFIX}/share/doc/${PACKAGE}
> LXC_SCRIPT_DIR=${PREFIX}/share/lxc
> @@ -13,6 +14,7 @@ LXC_CONFIG_DIR=${LXC_SCRIPT_DIR}/config
> LXC_COMMON_CONFIG_DIR=${LXC_CONFIG_DIR}/common.conf.d
> LXC_USERNS_CONFIG_DIR=${LXC_CONFIG_DIR}/userns.conf.d
> SERVICEDIR=${DESTDIR}/lib/systemd/system
> +APPARMORDDIR=${ETCDIR}/apparmor.d
> PODDIR=${DOCDIR}/pod
> MAN1DIR=${MANDIR}/man1/
> MAN5DIR=${MANDIR}/man5/
> @@ -73,6 +75,7 @@ install: pct lxc-pve.conf pct.1 pct.conf.5 pct.bash-completion pct.zsh-completio
> gzip -9 ${MAN5DIR}/pct.conf.5
> cd ${MAN5DIR}; ln -s pct.conf.5.gz ct.conf.5.gz
> install -D -m 0644 10-pve-ct-inotify-limits.conf ${LIBDIR}/sysctl.d/10-pve-ct-inotify-limits.conf
> + install -D -m 0644 pve-container-mounthotplug ${APPARMORDDIR}/pve/pve-container-mounthotplug
>
> pve-userns.seccomp: /usr/share/lxc/config/common.seccomp
> cp $< $@
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index 7883cfb..7db4833 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1974,7 +1974,7 @@ sub mountpoint_hotplug :prototype($$$$$) {
> my $dir = get_staging_mount_path($opt);
>
> # Now switch our apparmor profile before mounting:
> - my $data = 'changeprofile /usr/bin/lxc-start';
> + my $data = 'changeprofile pve-container-mounthotplug';
> if (syswrite($aa_fd, $data, length($data)) != length($data)) {
> die "failed to change apparmor profile: $!\n";
> }
> diff --git a/src/pve-container-debug@.service b/src/pve-container-debug@.service
> index 7cfebaa..66b5d9f 100644
> --- a/src/pve-container-debug@.service
> +++ b/src/pve-container-debug@.service
> @@ -13,6 +13,7 @@ Type=simple
> Delegate=yes
> KillMode=mixed
> TimeoutStopSec=120s
> +ExecStartPre=/lib/apparmor/profile-load pve/pve-container-mounthotplug
> ExecStart=/usr/bin/lxc-start -F -n %i -o /dev/stderr -l DEBUG
> ExecStop=/usr/share/lxc/pve-container-stop-wrapper %i
> # Environment=BOOTUP=serial
> diff --git a/src/pve-container-mounthotplug b/src/pve-container-mounthotplug
> new file mode 100644
> index 0000000..e6f3903
> --- /dev/null
> +++ b/src/pve-container-mounthotplug
> @@ -0,0 +1,7 @@
> +#include <tunables/global>
> +
> +profile pve-container-mounthotplug flags=(attach_disconnected) {
> + #include <abstractions/lxc/start-container>
> +
> + mount options=(move),
> +}
> diff --git a/src/pve-container@.service b/src/pve-container@.service
> index fdc373e..011565b 100644
> --- a/src/pve-container@.service
> +++ b/src/pve-container@.service
> @@ -13,6 +13,7 @@ Type=simple
> Delegate=yes
> KillMode=mixed
> TimeoutStopSec=120s
> +ExecStartPre=/lib/apparmor/profile-load pve/pve-container-mounthotplug
> ExecStart=/usr/bin/lxc-start -F -n %i
> ExecStop=/usr/share/lxc/pve-container-stop-wrapper %i
> # Environment=BOOTUP=serial
prev parent reply other threads:[~2024-03-25 17:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-08 13:54 Filip Schauer
2024-03-25 10:29 ` Fiona Ebner
2024-03-25 10:49 ` Fiona Ebner
2024-03-25 17:30 ` Filip Schauer
2024-03-25 17:31 ` Filip Schauer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8a3c6f9b-5088-4169-b364-2b54a869d34d@proxmox.com \
--to=f.schauer@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.