container-base.in revision 2a31251cc5f428f96ee3d322a78556310a681e14
2a31251cc5f428f96ee3d322a78556310a681e14Stéphane Graber # The following 3 entries are only supported by recent apparmor versions.
2a31251cc5f428f96ee3d322a78556310a681e14Stéphane Graber # Comment them if the apparmor parser doesn't recognize them.
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # ignore DENIED message on / remount
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn deny mount options=(ro, remount) -> /,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # allow tmpfs mounts everywhere
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount fstype=tmpfs,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # allow mqueue mounts everywhere
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount fstype=mqueue,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # allow fuse mounts everywhere
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount fstype=fuse.*,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # allow bind mount of /lib/init/fstab for lxcguest
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn deny @{PROC}/sys/fs/** wklx,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # allow efivars to be mounted, writing to it will be blocked though
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # block some other dangerous paths
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn deny @{PROC}/sysrq-trigger rwklx,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn deny @{PROC}/mem rwklx,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn deny @{PROC}/kmem rwklx,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # deny writes in /sys except for /sys/fs/cgroup, also allow
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn # fusectl, securityfs and debugfs to be mounted there (read-only)
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount fstype=fusectl -> /sys/fs/fuse/connections/,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount fstype=securityfs -> /sys/kernel/security/,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount fstype=debugfs -> /sys/kernel/debug/,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount fstype=proc -> /proc/,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount fstype=sysfs -> /sys/,
198b363fff1de9afcee2f26b9aa847316f589afeSerge Hallyn mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,