Skip to content

Commit 57cf149

Browse files
jhenstridgejhenstridge
committed
interfaces: lock down the remount AppArmor rules for steam-support
1 parent 1cdd307 commit 57cf149

File tree

1 file changed

+53
-4
lines changed

1 file changed

+53
-4
lines changed

interfaces/builtin/steam_support.go

Lines changed: 53 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -70,10 +70,59 @@ mount options=(rw, rbind) /oldroot/usr/lib/os-release -> /newroot/run/host/os-re
7070
7171
# Bubblewrap performs remounts on directories it binds under /newroot
7272
# to fix up the options (since options other than MS_REC are ignored
73-
# when performing a bind mount). Ideally we'd write a rule that
74-
# requires the remount option in combination with any other, but
75-
# AppArmor doesn't currently support that.
76-
mount options in (rw, ro, nosuid, nodev, noexec, remount, bind, silent, relatime) -> /newroot/{,**},
73+
# when performing a bind mount). Ideally we could do something like:
74+
# remount options=(bind, silent, nosuid, *) /newroot/{,**},
75+
#
76+
# But that is not supported by AppArmor. So we enumerate the possible
77+
# combinations of options Bubblewrap might use.
78+
remount options=(bind, silent, nosuid, rw) /newroot/{,**},
79+
remount options=(bind, silent, nosuid, rw, nodev) /newroot/{,**},
80+
remount options=(bind, silent, nosuid, rw, noexec) /newroot/{,**},
81+
remount options=(bind, silent, nosuid, rw, nodev, noexec) /newroot/{,**},
82+
remount options=(bind, silent, nosuid, rw, noatime) /newroot/{,**},
83+
remount options=(bind, silent, nosuid, rw, nodev, noatime) /newroot/{,**},
84+
remount options=(bind, silent, nosuid, rw, noexec, noatime) /newroot/{,**},
85+
remount options=(bind, silent, nosuid, rw, nodev, noexec, noatime) /newroot/{,**},
86+
remount options=(bind, silent, nosuid, rw, relatime) /newroot/{,**},
87+
remount options=(bind, silent, nosuid, rw, nodev, relatime) /newroot/{,**},
88+
remount options=(bind, silent, nosuid, rw, noexec, relatime) /newroot/{,**},
89+
remount options=(bind, silent, nosuid, rw, nodev, noexec, relatime) /newroot/{,**},
90+
remount options=(bind, silent, nosuid, rw, nodiratime) /newroot/{,**},
91+
remount options=(bind, silent, nosuid, rw, nodev, nodiratime) /newroot/{,**},
92+
remount options=(bind, silent, nosuid, rw, noexec, nodiratime) /newroot/{,**},
93+
remount options=(bind, silent, nosuid, rw, nodev, noexec, nodiratime) /newroot/{,**},
94+
remount options=(bind, silent, nosuid, rw, noatime, nodiratime) /newroot/{,**},
95+
remount options=(bind, silent, nosuid, rw, nodev, noatime, nodiratime) /newroot/{,**},
96+
remount options=(bind, silent, nosuid, rw, noexec, noatime, nodiratime) /newroot/{,**},
97+
remount options=(bind, silent, nosuid, rw, nodev, noexec, noatime, nodiratime) /newroot/{,**},
98+
remount options=(bind, silent, nosuid, rw, relatime, nodiratime) /newroot/{,**},
99+
remount options=(bind, silent, nosuid, rw, nodev, relatime, nodiratime) /newroot/{,**},
100+
remount options=(bind, silent, nosuid, rw, noexec, relatime, nodiratime) /newroot/{,**},
101+
remount options=(bind, silent, nosuid, rw, nodev, noexec, relatime, nodiratime) /newroot/{,**},
102+
remount options=(bind, silent, nosuid, ro) /newroot/{,**},
103+
remount options=(bind, silent, nosuid, ro, nodev) /newroot/{,**},
104+
remount options=(bind, silent, nosuid, ro, noexec) /newroot/{,**},
105+
remount options=(bind, silent, nosuid, ro, nodev, noexec) /newroot/{,**},
106+
remount options=(bind, silent, nosuid, ro, noatime) /newroot/{,**},
107+
remount options=(bind, silent, nosuid, ro, nodev, noatime) /newroot/{,**},
108+
remount options=(bind, silent, nosuid, ro, noexec, noatime) /newroot/{,**},
109+
remount options=(bind, silent, nosuid, ro, nodev, noexec, noatime) /newroot/{,**},
110+
remount options=(bind, silent, nosuid, ro, relatime) /newroot/{,**},
111+
remount options=(bind, silent, nosuid, ro, nodev, relatime) /newroot/{,**},
112+
remount options=(bind, silent, nosuid, ro, noexec, relatime) /newroot/{,**},
113+
remount options=(bind, silent, nosuid, ro, nodev, noexec, relatime) /newroot/{,**},
114+
remount options=(bind, silent, nosuid, ro, nodiratime) /newroot/{,**},
115+
remount options=(bind, silent, nosuid, ro, nodev, nodiratime) /newroot/{,**},
116+
remount options=(bind, silent, nosuid, ro, noexec, nodiratime) /newroot/{,**},
117+
remount options=(bind, silent, nosuid, ro, nodev, noexec, nodiratime) /newroot/{,**},
118+
remount options=(bind, silent, nosuid, ro, noatime, nodiratime) /newroot/{,**},
119+
remount options=(bind, silent, nosuid, ro, nodev, noatime, nodiratime) /newroot/{,**},
120+
remount options=(bind, silent, nosuid, ro, noexec, noatime, nodiratime) /newroot/{,**},
121+
remount options=(bind, silent, nosuid, ro, nodev, noexec, noatime, nodiratime) /newroot/{,**},
122+
remount options=(bind, silent, nosuid, ro, relatime, nodiratime) /newroot/{,**},
123+
remount options=(bind, silent, nosuid, ro, nodev, relatime, nodiratime) /newroot/{,**},
124+
remount options=(bind, silent, nosuid, ro, noexec, relatime, nodiratime) /newroot/{,**},
125+
remount options=(bind, silent, nosuid, ro, nodev, noexec, relatime, nodiratime) /newroot/{,**},
77126
78127
/newroot/** rwkl,
79128
/bindfile* rw,

0 commit comments

Comments
 (0)