felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build: use the base-strict abstraction automatically.

Browse source
This commit is contained in:
Alexandre Pujol 2025-06-16 23:17:45 +02:00
parent 7dd860f277
commit 1118d2ffc5
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
2 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
apparmor.d/abstractions/attached/base
View file

@ -8,14 +8,14 @@
abi <abi/4.0>,
include <abstractions/base>
include <abstractions/base-strict>
@{att}/@{run}/systemd/journal/dev-log w,
@{att}/@{run}/systemd/journal/socket w,
@{att}/@{run}/systemd/journal/stdout rw,
deny /apparmor/.null rw,
deny @{att}/apparmor/.null rw,
/apparmor/.null rw,
@{att}/apparmor/.null rw,
include if exists <abstractions/attached/base.d>

4
pkg/prebuild/builder/attach.go
View file

@ -49,6 +49,10 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) {
} else {
insert = "@{att} = /\n"
profile = strings.ReplaceAll(profile,
"include <abstractions/base>",
"include <abstractions/base-strict>",
)
}
return strings.Replace(profile, origin, insert+origin, 1), nil