InTheForest/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-01-11 18:51:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove 'deny mount' in the apparmor template

Browse Source 
The `mount` system call is already controlled through `profiles/seccomp/default.json`.
According to it, `mount(2)` is gated by `CAP_SYS_ADMIN`, yet as it is blocked in the default apparmor profile as well, even containers with `CAP_SYS_ADMIN` are unable to `mount(2)`.
As per https://github.com/moby/moby/issues/40421#issuecomment-579421705 `deny mount` was added to the apparmor profile before the inclusion of seccomp.
This commit removes `deny mount` from `profiles/apparmor/template.go`, so use of `mount(2)` can be controlled entirely by capabilities and seccomp profiles.

Signed-off-by: Daniel Ferenczi <daniel.ferenczi@protonmail.com>
This commit is contained in:
Daniel Ferenczi
2020-01-29 15:39:52 +01:00
parent 2ebaeef943
commit db2e59456b
1 changed files with 0 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
profiles/apparmor/template.go
View File

@@ -32,8 +32,6 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/kcore rwklx,
deny mount,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,