feat(abs): rewrite bwrap mount rules.

2024-11-14 23:43:56 +01:00 · 2024-03-03 12:08:30 +00:00 · 2024-03-03 12:08:30 +00:00 · 0ffa51aca4
commit 0ffa51aca4
parent af0c87f712
1 changed files with 45 additions and 16 deletions
--- a/apparmor.d/abstractions/bwrap
+++ b/apparmor.d/abstractions/bwrap
@ -13,22 +13,51 @@

  network netlink raw,

-  mount fstype=devpts options=(rw nosuid noexec)                devpts -> /newroot/dev/pts/,
-  mount fstype=proc   options=(rw nosuid nodev noexec)            proc -> /newroot/@{PROC}/,
-  mount fstype=tmpfs  options=(rw nosuid nodev)                  tmpfs -> /newroot/dev/,
-  mount fstype=tmpfs  options=(rw nosuid nodev)                  tmpfs -> /newroot/tmp/,
-  mount fstype=tmpfs  options=(rw nosuid nodev)                  tmpfs -> /tmp/,
-  mount options=(ro nosuid nodev noexec remount bind silent relatime)  -> /newroot/**/,
-  mount options=(ro nosuid nodev noexec remount bind silent)           -> /newroot/@{run}/,
-  mount options=(ro nosuid nodev noexec remount noatime bind silent)   -> /newroot/**/,
-  mount options=(ro nosuid nodev remount bind silent relatime)         -> /newroot/**/,
-  mount options=(ro nosuid nodev remount bind silent)                  -> /newroot/dev/{,**/},
-  mount options=(ro nosuid nodev remount noatime bind silent)          -> /newroot/,
-  mount options=(rw rbind)                               /tmp/newroot/ -> /tmp/newroot/,
-  mount options=(rw rbind)                              /oldroot/dev/* -> /newroot/dev/*, 
-  mount options=(rw rbind)                             /oldroot/{,**/} -> /newroot/{,**/},
-  mount options=(rw silent rprivate)                                   -> /oldroot/,
-  mount options=(rw silent rslave)                                     -> /,
+  mount               options=(rw rbind)                          /oldroot/ -> /newroot/,
+  mount               options=(rw rbind)            /oldroot/dev/{,u}random -> /newroot/dev/{,u}random,
+  mount               options=(rw rbind)                      /tmp/newroot/ -> /tmp/newroot/,
+  mount               options=(rw rbind)                   /oldroot/dev/tty -> /newroot/dev/tty,
+  mount               options=(rw rbind)            /oldroot/dev/pts/@{int} -> /newroot/dev/console,
+  mount               options=(rw silent rprivate)                          -> /oldroot/,
+  mount               options=(rw silent rslave)                            -> /,
+  mount fstype=devpts options=(rw nosuid noexec)                     devpts -> /newroot/dev/pts/,
+  mount fstype=tmpfs  options=(rw nosuid nodev)                       tmpfs -> /newroot/dev/,
+  mount fstype=tmpfs  options=(rw nosuid nodev)                       tmpfs -> /tmp/,
+
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/,
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{HOME}/**/,
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{PROC}/sys/fs/binfmt_misc/,
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{run}/,
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{run}/user/@{uid}/,
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{run}/user/@{uid}/doc/,
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{run}/user/@{uid}/gvfs/,
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{sys}/fs/cgroup/net_cls/,
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/dev/,
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/dev/hugepages/,
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/efi/, 
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/tmp/,
+  remount options=(ro nosuid nodev bind silent relatime)         /newroot/var/,
+  remount options=(ro nosuid nodev bind silent)                  /newroot/dev/,
+  remount options=(ro nosuid nodev bind silent)                  /newroot/dev/shm/,
+  remount options=(ro nosuid nodev bind silent)                  /newroot/tmp/,
+  remount options=(ro nosuid nodev noatime bind silent)          /newroot/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{PROC}/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/firmware/efi/efivars/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/fs/bpf/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/fs/cgroup/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/fs/fuse/connections/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/fs/pstore/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/kernel/config/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/kernel/debug/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/kernel/security/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/kernel/tracing/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/boot/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/dev/mqueue/,
+  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/dev/pts/,
+  remount options=(ro nosuid nodev noexec bind silent)           /newroot/@{run}/,
+  remount options=(ro nosuid nodev noexec noatime bind silent)   /newroot/@{HOME}/{,**/},
+  remount options=(ro nosuid nodev noexec noatime bind silent)   /newroot/@{MOUNTS}/{,**/},

  umount /,
  umount /oldroot/,