File apparmor-profile-no-mount.patch of Package libvirt.1263

Overview Repositories Revisions Requests Users Attributes Meta

File apparmor-profile-no-mount.patch of Package libvirt.1263

Index: libvirt-1.2.5/examples/apparmor/libvirt-lxc
===================================================================
--- libvirt-1.2.5.orig/examples/apparmor/libvirt-lxc
+++ libvirt-1.2.5/examples/apparmor/libvirt-lxc
@@ -2,39 +2,16 @@
 
   #include <abstractions/base>
 
-  umount,
-
-  # ignore DENIED message on / remount
-  deny mount options=(ro, remount) -> /,
-
-  # allow tmpfs mounts everywhere
-  mount fstype=tmpfs,
-
-  # allow mqueue mounts everywhere
-  mount fstype=mqueue,
-
-  # allow fuse mounts everywhere
-  mount fstype=fuse.*,
-
-  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
-  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+  # deny writes in /proc/sys/fs
   deny @{PROC}/sys/fs/** wklx,
 
-  # allow efivars to be mounted, writing to it will be blocked though
-  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
 
   # block some other dangerous paths
   deny @{PROC}/sysrq-trigger rwklx,
   deny @{PROC}/mem rwklx,
   deny @{PROC}/kmem rwklx,
 
-  # deny writes in /sys except for /sys/fs/cgroup, also allow
-  # fusectl, securityfs and debugfs to be mounted there (read-only)
-  mount fstype=fusectl -> /sys/fs/fuse/connections/,
-  mount fstype=securityfs -> /sys/kernel/security/,
-  mount fstype=debugfs -> /sys/kernel/debug/,
-  mount fstype=proc -> /proc/,
-  mount fstype=sysfs -> /sys/,
+  # deny writes in /sys except for /sys/fs/cgroup,
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,

Places

File apparmor-profile-no-mount.patch of Package libvirt.1263

Places