feat(profile): add a large profile for mkosi.
This commit is contained in:
Alexandre Pujol
parent
e5012e381e
commit
69fcef01b7
1 changed files with 25 additions and 0 deletions
25
apparmor.d/profiles-m-r/mkosi
Normal file
25
apparmor.d/profiles-m-r/mkosi
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
# This profile is large on purpose:
|
||||||
|
# - It is required to have a profile for mkosi to allow userns.
|
||||||
|
# - Mkosi uses a lot of different binaries and scripts inside sandbox.
|
||||||
|
# - Using the unconfined flag would Pix everything, we do not want that as the
|
||||||
|
# transitioned profile would have to account for mkosi paths too.
|
||||||
|
|
||||||
|
abi <abi/4.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi
|
||||||
|
profile mkosi @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
|
include <abstractions/base>
|
||||||
|
|
||||||
|
all,
|
||||||
|
userns,
|
||||||
|
|
||||||
|
include if exists <local/mkosi>
|
||||||
|
}
|
||||||
|
|
||||||
|
# vim:syntax=apparmor
|
||||||
Loading…
Add table
Add a link
Reference in a new issue