diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2023-09-06 20:54:52 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2023-09-07 00:31:22 +0200 |
commit | b686afa23e85321f9e376b2aeddddb6e70adc22b (patch) | |
tree | 01142e19a5749fd5c9653876bf359117d6d90c00 /contrib | |
parent | 6d3e426d2f8af68ea471ebfe4b3dc89e5c8ed62f (diff) | |
download | passt-b686afa23e85321f9e376b2aeddddb6e70adc22b.tar passt-b686afa23e85321f9e376b2aeddddb6e70adc22b.tar.gz passt-b686afa23e85321f9e376b2aeddddb6e70adc22b.tar.bz2 passt-b686afa23e85321f9e376b2aeddddb6e70adc22b.tar.lz passt-b686afa23e85321f9e376b2aeddddb6e70adc22b.tar.xz passt-b686afa23e85321f9e376b2aeddddb6e70adc22b.tar.zst passt-b686afa23e85321f9e376b2aeddddb6e70adc22b.zip |
apparmor: Explicitly pass options we use while remounting root filesystem
As a result of AppArmor commit d4b0fef10a4a ("parser: fix rule flag
generation change_mount type rules"), we can't expect anymore to
get permission to mount() / read-write, with MS_REC | MS_UNBINDABLE
("runbindable", in AppArmor terms), if we don't explicitly pass those
flags as options. It used to work by mistake.
Now, the reasonable expectation would be that we could just change the
existing rule into:
mount options=(rw, runbindable) "" -> /,
...but this now fails to load too, I think as a result of AppArmor
commit 9d3f8c6cc05d ("parser: fix parsing of source as mount point
for propagation type flags"). It works with 'rw' alone, but
'runbindable' is indeed a propagation type flag.
Skip the source specification, it doesn't add anything meaningful to
the rule anyway.
Reported-by: Paul Holzinger <pholzing@redhat.com>
Link: https://github.com/containers/podman/pull/19751
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/apparmor/abstractions/passt | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt index a16eb6e..d778222 100644 --- a/contrib/apparmor/abstractions/passt +++ b/contrib/apparmor/abstractions/passt @@ -26,7 +26,7 @@ capability sys_ptrace, / r, # isolate_prefork(), isolation.c - mount "" -> "/", + mount options=(rw, runbindable) /, mount "" -> "/tmp/", pivot_root "/tmp/" -> "/tmp/", umount "/", |