RFC: mount: allow optional flags with a question mark (!305) · Merge requests · AppArmor / apparmor

Wolfgang Bumiller requested to merge wbumiller/apparmor:2019-01-17/mount-optional-flags into master Jan 17, 2019

We'd like to be able to specify a rule like: allow mount where options consists of at least (ro,bind,remount) and also any combination of (nosuid,nodev,noexec,strictatime) Without having to resort to writing a rule for every possible combination of the above flags.

This patch introduces a question-mark prefix for optional mount flags making the following rule:

  mount options=(ro,bind,remount,?nosuid,?nodev),

equivalent to the following:

  mount options=(ro,bind,remount),
  mount options=(ro,bind,remount,nosuid),
  mount options=(ro,bind,remount,nodev),
  mount options=(ro,bind,remount,nodev,nosuid),

Note the difference to "accumulating options" where

  mount options=(ro,bin,remount) options=(nosuid,nodev),

would instead be equivalent to

  mount options=(ro,bin,remount),
  mount options=(nosuid,nodev),

Signed-off-by: Wolfgang Bumiller w.bumiller@proxmox.com

Edited Mar 30, 2023 by Wolfgang Bumiller

RFC: mount: allow optional flags with a question mark

Merge request reports