fix(profile): workaround in apparmor issue for attached path.

See https://gitlab.com/apparmor/apparmor/-/issues/450 Fix #815
2025-08-17 11:57:36 +02:00 · 2025-08-17 11:57:36 +02:00 · 4e70cb4c91
commit 4e70cb4c91
parent 52e9ae9fd6
8 changed files with 7 additions and 6 deletions
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -135,6 +135,8 @@
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{att}/dev/shm/@{uuid} r,
  /dev/hidraw@{int} rw,
  /dev/input/ r,
  /dev/input/event@{int} rw,
--- a/apparmor.d/groups/flatpak/flatpak-app
+++ b/apparmor.d/groups/flatpak/flatpak-app
@ -83,7 +83,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
  /var/lib/flatpak/app/{,**} r,
  /var/lib/flatpak/exports/** rw,
        @{run}/.userns r,
        @{run}/parent/** r,
        @{run}/parent/app/.ref rk,
        @{run}/parent/usr/.ref rk,
--- a/apparmor.d/groups/flatpak/flatpak-portal
+++ b/apparmor.d/groups/flatpak/flatpak-portal
@ -31,7 +31,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
  /var/lib/flatpak/exports/share/mime/mime.cache r,
-  owner @{att}/ r,
+  owner /att/**/ r,
  owner @{att}/.flatpak-info r,
  owner @{HOME}/.var/app/*/**/.ref rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -65,8 +65,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  @{open_path}                            rPx -> child-open,
        / r,
  @{att}/ r,
  @{att}/.flatpak-info r,
  owner /att/**/ r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/xdg-desktop-portal/** r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -52,7 +52,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter-dconf-defaults r,
              / r,
-  owner @{att}/ r,
+  owner /att/**/ r,
  owner /var/lib/xkb/server-@{int}.xkm rw,
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -44,7 +44,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  @{bin}/snap            rPx,
              / r,
-  owner @{att}/ r,
+  owner /att/**/ r,
  owner @{att}/.flatpak-info r,
  owner @{HOME}/ r,
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@ -73,7 +73,6 @@
 # Disabled on abi3 and Ubuntu 25.04+
 # See https://apparmor.pujol.io/development/internal/#re-attached-path
@{att}=/
 alias / -> //,
 # vim:syntax=apparmor
--- a/pkg/prebuild/prepare/attach.go
+++ b/pkg/prebuild/prepare/attach.go
@ -33,5 +33,6 @@ func (p ReAttach) Apply() ([]string, error) {
 		return res, err
 	}
 	out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/")
 	out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,")
 	return res, path.WriteFile([]byte(out))
 }