felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(abs): bwrap: add special mount rule for debian.

Browse source
This commit is contained in:
Alexandre Pujol 2024-06-11 00:01:46 +01:00
parent 8fe2bf4c20
commit 08a1aba39d
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
apparmor.d/abstractions/common/bwrap
View file

@ -2,10 +2,9 @@
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Minimal set of rules for bwrap # A minimal set of rules for sandboxed programs using bwrap.
# A profile using this abstraction still needs to set: # A profile using this abstraction still needs to set:
# - the attach_disconnected flag # - the flag: attach_disconnected
# - bwrap execution: '@{bin}/bwrap rix,' # - bwrap execution: '@{bin}/bwrap rix,'
# userns, # userns,
@ -31,6 +30,9 @@
umount /, umount /,
umount /oldroot/, umount /oldroot/,
#aa:only debian whonix
mount -> /newroot/{,**}, # Debian does not support the remount rule.
pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/newroot/ /newroot/,
pivot_root oldroot=/tmp/oldroot/ /tmp/, pivot_root oldroot=/tmp/oldroot/ /tmp/,