Skip to content

Commit

Permalink
apparmor: regenerate rules
Browse files Browse the repository at this point in the history 
Follow the instruction from config/apparmor/README:

./lxc-generate-aa-rules.py container-rules.base > container-rules
cat abstractions/container-base.in container-rules > abstractions/container-base

Signed-off-by: Alexander Mikhalitsyn <[email protected]>
  • Loading branch information
@mihalicyn
mihalicyn committed Jun 4, 2024
1 parent 9c492b0 commit 083678b
Showing 1 changed file with 9 additions and 10 deletions.
19 changes: 9 additions & 10 deletions config/apparmor/abstractions/container-base
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@
# block some other dangerous paths
deny @{PROC}/kcore rwklx,
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/acpi/** rwklx,

# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
Expand All @@ -85,21 +86,20 @@
mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,

# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,

# allow paths to be made slave, shared, private or unbindable
mount options=(rw,make-slave) -> **,
mount options=(rw,make-rslave) -> **,
mount options=(rw,make-shared) -> **,
mount options=(rw,make-rshared) -> **,
mount options=(rw,make-private) -> **,
mount options=(rw,make-rprivate) -> **,
mount options=(rw,make-unbindable) -> **,
mount options=(rw,make-runbindable) -> **,
mount options=(rw,make-slave) -> /**,
mount options=(rw,make-rslave) -> /**,
mount options=(rw,make-shared) -> /**,
mount options=(rw,make-rshared) -> /**,
mount options=(rw,make-private) -> /**,
mount options=(rw,make-rprivate) -> /**,
mount options=(rw,make-unbindable) -> /**,
mount options=(rw,make-runbindable) -> /**,

# allow bind-mounts of anything except /proc, /sys and /dev
mount options=(rw,bind) /[^spd]*{,/**},
Expand Down Expand Up @@ -146,7 +146,6 @@
mount options=(rw,move) /s[^y]*{,/**},
mount options=(rw,move) /sy[^s]*{,/**},
mount options=(rw,move) /sys?*{,/**},

# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
Expand Down

0 comments on commit 083678b

Please sign in to comment.