Add section for AppArmor mount rules in apparmor.md

Summary of content: - Introduction to mount rules in AppArmor - Short explanation of correlation between CAP_SYS_ADMIN and mount - 2 examples for profiles that allow mount operations. Signed-off-by: Andreas Elvstam Cantner <andreas.elvstam@se.bosch.com>

Add section for AppArmor mount rules in apparmor.md
Summary of content: - Introduction to mount rules in AppArmor - Short explanation of correlation between CAP_SYS_ADMIN and mount - 2 examples for profiles that allow mount operations. Signed-off-by: Andreas Elvstam Cantner <andreas.elvstam@se.bosch.com>
d25f9845 · Elvstam Cantner Andreas · e1ad543a · d25f9845
Commit d25f9845 authored 4 years ago by Elvstam Cantner Andreas
--- a/content/guides/apparmor.md
+++ b/content/guides/apparmor.md
@@ -708,6 +708,112 @@ read and write permissions to a specific mount point.
 }
 ```

+### Mount
+With AppArmor it is possible to define what mount operations a confined executable
+is allowed to perform. By default no mount operations are allowed, but the AppArmor
+[mount rules](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#mount-rules-apparmor-28-and-later)
+can be used to explicitly whitelist certain mount operations.
+
+{{% notice tip %}}
+Since the AppArmor mount rules are based on the same syntax as
+[mount(8)](https://man7.org/linux/man-pages/man8/mount.8.html), detailed references
+regarding `fstype` and `options` can be looked up there. Re-using the same syntax
+also makes it easier to map the mount operations executed to the mount rules
+needed in the AppArmor profile.
+{{% /notice %}}
+
+{{% notice note %}}
+For AppArmor versions **before** 2.8 capability `CAP_SYS_ADMIN` was sufficient.
+[Repology](https://repology.org/project/apparmor/versions) can be used to find
+out the used AppArmor version for various distributions.
+{{% /notice %}}
+
+As with any other kind of AppArmor rules, the mount rules can only be used to
+block or allow what is already granted on system level. Hence, in order to use
+mount operations in an executable confined by AppArmor the following criteria
+must be met:
+
+ 1.	Executable or user is allowed to perform mount operations on system level,
+    e.g by DAC permissions or capability `CAP_SYS_ADMIN`.
+{{% notice tip %}}
+Inspiration on performing mount operations as a non-root user can be found in
+section _"Non-superuser mounts"_ at
+[mount(8)](https://man7.org/linux/man-pages/man8/mount.8.html).
+{{% /notice %}}
+
+ 2. The profile must allow capability `CAP_SYS_ADMIN`.
+ 3.	The profile must allow the needed mount operations, using the mount rules.
+ 4.	The profile must allow the necessary file permissions. E.g execute permission
+    to the mount binary, read the filesystem or write to the mount point etc.
+
+**Example:** Profile where `/path/to/executable` is allowed to execute the binary
+`/bin/mount` to mount `/path/to/fs` at the mount point `/path/to/mount_point/` as
+any type of filesystem, with any arguments to the mount operation e.g `ext4`
+type as read-write or `sysfs` as read-only etc.
+
+```
+/path/to/executable {
+  #include <abstractions/base>
+
+  # Allow capability 'CAP_SYS_ADMIN'
+  capability sys_admin,
+
+  # Allow to execute the mount binary confined by the same profile as '/path/to/executable'
+  /bin/mount Ix,
+
+  # Allow 'path/to/fs' to be mounted at mount point '/path/to/mount_point/'
+  mount /path/to/fs -> /path/to/mount_point/,
+
+  # Read access to the filesystem to be mounted
+  /path/to/fs r,
+
+  # Write access to the mount point and any files or directories below it
+  /path/to/mount_point/** w,
+
+  # Read access to the executable itself
+  path/to/executable r,
+```
+
+**Example:** Profile where `/path/to/executable` is allowed to execute the binary
+`/bin/mount` to mount, remount and unmount certain mount points. Here `dummy_fs`
+is only allowed to be mounted as type `ext4` and read-write to
+`/path/to/mount_point_1/`, ***and if*** `dummy_fs` is owned by the current user.
+Anything under `/path/to/mount_point_2/` can be remounted, while
+`/path/to/mount_point_3/` can only be unmounted.
+
+```
+/path/to/executable {
+  #include <abstractions/base>
+
+  # Allow capability 'CAP_SYS_ADMIN'
+  capability sys_admin,
+
+  # Allow to execute the mount binary confined by the same profile as '/path/to/executable'
+  /bin/mount Ix,
+
+  # Allow 'dummy_sysfs', no matter where it is located on the system, to be
+  # mounted as type 'ext4' and read-write to '/path/to/mount_point_1/'
+  mount fstype=(ext4) options=(rw) /**/dummy_sysfs -> /path/to/mount_point_1/,
+
+  # Allow to remount of any mount point in any directory under '/path/to/mount_point_2/'
+  remount /path/to/mount_point_2/**,
+
+  # Allow to unmount '/path/to/mount_point_3/'
+  umount /path/to/mount_point_3/
+
+  # Read access to the filesystem to be mounted, if owned by the current user
+  owner /**/dummy_sysfs r,
+
+  # Read access to the all three mount points and any files or directories below them
+  /path/to/mount_point_[123]/** r,
+
+  # Write access to the two mount points and any files or directories below them
+  /path/to/mount_point_[12]/** w,
+
+  # Read access to the executable itself
+  path/to/executable r,
+```
+
 ## Best practices

 Following is the list of recommendations during the development and usage of profiles in AppArmor:
@@ -749,4 +855,3 @@ Following is the list of recommendations during the development and usage of pro

 * Understand the difference between "environment variable scrubbing" (capital P/I/C/Ux) and "no environment variable scrubbing" (lower case p/i/c/ux) for execute permissions and where possible use the former. 
    * Check Ubuntu man page for details on scrubbing: [Ubuntu Manpage apparmor.d - syntax of security profiles for AppArmor](http://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html).
-