diff options
| author | John Johansen <john.johansen@canonical.com> | 2012-05-22 08:22:18 -0700 |
|---|---|---|
| committer | John Rigby <john.rigby@linaro.org> | 2012-06-25 15:04:11 -0600 |
| commit | c1d062dd814d8333ac9e3cc2426d6ef7bf3d1b02 (patch) | |
| tree | f3baeddff1536e3e118bd1a5c8ad1fda9924685f /lib | |
| parent | a0d66adf341ba90dd2014229c17acaa9c2f4d99f (diff) | |
UBUNTU: SAUCE: apparmor: Add the ability to mediate mount
Add the ability for apparmor to do mediation of mount operations. Mount
rules require an updated apparmor_parser (2.8 series) for policy compilation.
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
Example mount commands
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/
umount,
umount /m*,
See the apparmor userspace for full documentation
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Diffstat (limited to 'lib')
0 files changed, 0 insertions, 0 deletions