felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(abs): improve mount rule for bwrap.

Browse source
This commit is contained in:
Alexandre Pujol 2024-03-04 12:55:32 +00:00
parent f1b01d03cd
commit 532162f302
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
1 changed files with 10 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

9
apparmor.d/abstractions/bwrap
View file

@ -13,14 +13,16 @@
network netlink raw, network netlink raw,
mount options=(rw rbind) /oldroot/{,**/} -> /newroot/{,**/}, mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/,
mount options=(rw rbind) /oldroot/{,**} -> /newroot/{,**},
mount options=(rw silent rprivate) -> /oldroot/, mount options=(rw silent rprivate) -> /oldroot/,
mount options=(rw silent rslave) -> /, mount options=(rw silent rslave) -> /,
mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/, mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/,
mount fstype=proc options=(rw nosuid nodev noexec) proc -> /newroot/@{PROC}/,
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/dev/, mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/dev/,
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/, mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/,
remount /newroot/{,**/}, remount /newroot/{,**},
umount /, umount /,
umount /oldroot/, umount /oldroot/,
@ -29,8 +31,7 @@
pivot_root oldroot=/tmp/oldroot/ /tmp/, pivot_root oldroot=/tmp/oldroot/ /tmp/,
owner / r, owner / r,
owner /newroot/**/ w, owner /newroot/{,**} w,
owner /newroot/dev/* w,
owner /tmp/newroot/ w, owner /tmp/newroot/ w,
owner /tmp/oldroot/ w, owner /tmp/oldroot/ w,