b88b8b8c26
As the number of abstraction is increasing, it is valuable to separate "base" abstractions to programs specific ones.
54 lines
1.7 KiB
Text
54 lines
1.7 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
# Minimal set of rules for bwrap
|
|
|
|
# A profile using this abstraction still needs to set:
|
|
# - the attach_disconnected flag
|
|
# - bwrap execution: '@{bin}/bwrap rix,'
|
|
|
|
# userns,
|
|
|
|
capability net_admin,
|
|
capability setpcap,
|
|
capability sys_admin,
|
|
capability sys_ptrace,
|
|
|
|
network netlink raw,
|
|
|
|
mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/,
|
|
mount options=(rw rbind) /oldroot/{,**} -> /newroot/{,**},
|
|
mount options=(rw silent rprivate) -> /oldroot/,
|
|
mount options=(rw silent rslave) -> /,
|
|
mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/,
|
|
mount fstype=proc options=(rw nosuid nodev noexec) proc -> /newroot/@{PROC}/,
|
|
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/{,**},
|
|
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/,
|
|
|
|
remount /newroot/{,**},
|
|
|
|
umount /,
|
|
umount /oldroot/,
|
|
|
|
pivot_root oldroot=/newroot/ /newroot/,
|
|
pivot_root oldroot=/tmp/oldroot/ /tmp/,
|
|
|
|
owner / r,
|
|
owner /newroot/{,**} w,
|
|
|
|
owner /tmp/newroot/ w,
|
|
owner /tmp/oldroot/ w,
|
|
|
|
|
|
@{PROC}/sys/kernel/overflowgid r,
|
|
@{PROC}/sys/kernel/overflowuid r,
|
|
@{PROC}/sys/user/max_user_namespaces r,
|
|
owner @{PROC}/@{pid}/cgroup r,
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
owner @{PROC}/@{pid}/gid_map rw,
|
|
owner @{PROC}/@{pid}/mountinfo r,
|
|
owner @{PROC}/@{pid}/setgroups rw,
|
|
owner @{PROC}/@{pid}/uid_map rw,
|
|
|
|
include if exists <abstractions/common/bwrap.d>
|