touch-packages team mailing list archive

Thread
Date

[Bug 1272028] Re: remount, not honored on bind mounts

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Ash Wilson <ash.wilson@xxxxxxxxxxxxx>
Date: Fri, 04 Sep 2015 18:53:24 -0000
Reply-to: Bug 1272028 <1272028@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I've attached a patch against the 2.9 branch that's working for me. I'm
allowing rbind as well as bind because that's the part of the actual
call that caused me to discover this. It looks like an equivalent change
could be made against master as well:

http://bazaar.launchpad.net/~apparmor-
dev/apparmor/master/view/head:/parser/mount.h#L106

Should I submit it to the mailing list, too?

** Patch added: "PATCH.patch"
   https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1272028/+attachment/4457487/+files/PATCH.patch

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1272028

Title:
  remount, not honored on bind mounts

Status in apparmor package in Ubuntu:
  Expired
Status in apparmor source package in Precise:
  Expired
Status in apparmor source package in Trusty:
  Expired
Status in apparmor source package in Utopic:
  Expired

Bug description:
  I was trying to run docker in a nested container.  docker wants to
  remount a bind-mounted dir as ro.  Audit log showed this failed.  I
  first tried to add more specific rules, but when those did not work i
  tried just

  remount,

  in the policy.  Still the mount was denied.  Finally when I added
  'mount,', it worked.

  Ideally I would be able to say

    remount options=(ro,bind) -> /var/lib/docker/**/,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1272028/+subscriptions