From 431e93c9df93b0f74109f1bcd6d1c4fa7e495372 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 28 Feb 2024 17:17:51 +0000
Subject: [PATCH] feat(abs): update bwrap minimal requirments.

---
 apparmor.d/abstractions/bwrap | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap
index 87fb68e4e..bd42310d5 100644
--- a/apparmor.d/abstractions/bwrap
+++ b/apparmor.d/abstractions/bwrap
@@ -14,13 +14,16 @@
   network netlink raw,
 
   mount fstype=devpts options=(rw nosuid noexec)                devpts -> /newroot/dev/pts/,
-  mount fstype=proc options=(rw nosuid nodev noexec)              proc -> /newroot/@{PROC}/,
-  mount fstype=tmpfs options=(rw nosuid nodev)                   tmpfs -> /newroot/dev/,
-  mount fstype=tmpfs options=(rw nosuid nodev)                   tmpfs -> /newroot/tmp/,
-  mount fstype=tmpfs options=(rw nosuid nodev)                   tmpfs -> /tmp/,
+  mount fstype=proc   options=(rw nosuid nodev noexec)            proc -> /newroot/@{PROC}/,
+  mount fstype=tmpfs  options=(rw nosuid nodev)                  tmpfs -> /newroot/dev/,
+  mount fstype=tmpfs  options=(rw nosuid nodev)                  tmpfs -> /newroot/tmp/,
+  mount fstype=tmpfs  options=(rw nosuid nodev)                  tmpfs -> /tmp/,
   mount options=(ro nosuid nodev noexec remount bind silent relatime)  -> /newroot/**/,
+  mount options=(ro nosuid nodev noexec remount bind silent)           -> /newroot/@{run}/,
+  mount options=(ro nosuid nodev noexec remount noatime bind silent)   -> /newroot/**/,
   mount options=(ro nosuid nodev remount bind silent relatime)         -> /newroot/**/,
-  mount options=(rw nosuid nodev remount bind silent relatime)         -> /newroot/**/,
+  mount options=(ro nosuid nodev remount bind silent)                  -> /newroot/dev/{,**/},
+  mount options=(ro nosuid nodev remount noatime bind silent)          -> /newroot/,
   mount options=(rw rbind)                               /tmp/newroot/ -> /tmp/newroot/,
   mount options=(rw rbind)                              /oldroot/dev/* -> /newroot/dev/*, 
   mount options=(rw rbind)                             /oldroot/{,**/} -> /newroot/{,**/},