mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(abs): rewrite bwrap mount rules.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-03-03 12:08:30 +00:00
parent af0c87f712
commit 0ffa51aca4
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
1 changed files with 45 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
apparmor.d/abstractions/bwrap
View File

@ -13,22 +13,51 @@
network netlink raw, network netlink raw,
mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/, mount options=(rw rbind) /oldroot/ -> /newroot/,
mount fstype=proc options=(rw nosuid nodev noexec) proc -> /newroot/@{PROC}/, mount options=(rw rbind) /oldroot/dev/{,u}random -> /newroot/dev/{,u}random,
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/dev/,
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/tmp/,
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/,
mount options=(ro nosuid nodev noexec remount bind silent relatime) -> /newroot/**/,
mount options=(ro nosuid nodev noexec remount bind silent) -> /newroot/@{run}/,
mount options=(ro nosuid nodev noexec remount noatime bind silent) -> /newroot/**/,
mount options=(ro nosuid nodev remount bind silent relatime) -> /newroot/**/,
mount options=(ro nosuid nodev remount bind silent) -> /newroot/dev/{,**/},
mount options=(ro nosuid nodev remount noatime bind silent) -> /newroot/,
mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/, mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/,
mount options=(rw rbind) /oldroot/dev/* -> /newroot/dev/*, mount options=(rw rbind) /oldroot/dev/tty -> /newroot/dev/tty,
mount options=(rw rbind) /oldroot/{,**/} -> /newroot/{,**/}, mount options=(rw rbind) /oldroot/dev/pts/@{int} -> /newroot/dev/console,
mount options=(rw silent rprivate) -> /oldroot/, mount options=(rw silent rprivate) -> /oldroot/,
mount options=(rw silent rslave) -> /, mount options=(rw silent rslave) -> /,
mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/,
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/dev/,
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/@{HOME}/**/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/@{PROC}/sys/fs/binfmt_misc/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/@{run}/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/@{run}/user/@{uid}/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/@{run}/user/@{uid}/doc/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/@{run}/user/@{uid}/gvfs/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/@{sys}/fs/cgroup/net_cls/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/dev/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/dev/hugepages/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/efi/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/tmp/,
remount options=(ro nosuid nodev bind silent relatime) /newroot/var/,
remount options=(ro nosuid nodev bind silent) /newroot/dev/,
remount options=(ro nosuid nodev bind silent) /newroot/dev/shm/,
remount options=(ro nosuid nodev bind silent) /newroot/tmp/,
remount options=(ro nosuid nodev noatime bind silent) /newroot/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{PROC}/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/firmware/efi/efivars/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/fs/bpf/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/fs/cgroup/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/fs/fuse/connections/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/fs/pstore/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/kernel/config/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/kernel/debug/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/kernel/security/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/kernel/tracing/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/boot/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/dev/mqueue/,
remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/dev/pts/,
remount options=(ro nosuid nodev noexec bind silent) /newroot/@{run}/,
remount options=(ro nosuid nodev noexec noatime bind silent) /newroot/@{HOME}/{,**/},
remount options=(ro nosuid nodev noexec noatime bind silent) /newroot/@{MOUNTS}/{,**/},
umount /, umount /,
umount /oldroot/, umount /oldroot/,