From 1b8b52962bb0043bb8a886d8c536e1cc3d944bd6 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 15 Mar 2024 23:45:18 +0000
Subject: [PATCH] feat(fsp): update mounting rules.

---
 apparmor.d/groups/_full/systemd      | 19 ++++++++++++-------
 apparmor.d/groups/_full/systemd-user |  3 +++
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
index 41c10e96..83ed9c98 100644
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@@ -52,14 +52,18 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   network inet6 stream,
   network netlink raw,
 
-  mount fstype=autofs                                             systemd-1 -> /efi/,
-  mount fstype=proc  options=(rw nosuid nodev noexec)                  proc -> @{run}/systemd/namespace-@{rand6}/,
-  mount fstype=sysfs options=(rw nosuid nodev noexec)                 sysfs -> @{run}/systemd/namespace-@{rand6}/,
-  mount fstype=tmpfs                                                  tmpfs -> /dev/shm/,
-  mount fstype=tmpfs                                                  tmpfs -> /tmp/,
-  mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime)     tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/,
-  mount fstype=tmpfs options=(rw nosuid noexec strictatime)           tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
+  mount fstype=autofs                                                 systemd-1 -> @{PROC}/sys/fs/binfmt_misc/,
+  mount fstype=autofs                                                 systemd-1 -> /efi/,
+  mount fstype=hugetlbfs options=(rw nosuid nodev)                    hugetlbfs -> /dev/hugepages/,
+  mount fstype=proc      options=(rw nosuid nodev noexec)                  proc -> @{run}/systemd/namespace-@{rand6}/,
+  mount fstype=sysfs     options=(rw nosuid nodev noexec)                 sysfs -> @{run}/systemd/namespace-@{rand6}/,
+  mount fstype=tmpfs                                                      tmpfs -> /dev/shm/,
+  mount fstype=tmpfs                                                      tmpfs -> /tmp/,
+  mount fstype=tmpfs     options=(rw nosuid nodev noexec strictatime)     tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/,
+  mount fstype=tmpfs     options=(rw nosuid nodev noexec)                 tmpfs -> /dev/shm/,
+  mount fstype=tmpfs     options=(rw nosuid noexec strictatime)           tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
 
+  mount options=(rw bind)                                           /dev/** -> /tmp/namespace-dev-@{rand6}/**,
   mount options=(rw bind)                                           /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**,
   mount options=(rw bind)                       @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/,
   mount options=(rw move)                                                   -> @{sys}/fs/fuse/connections/,
@@ -90,6 +94,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   remount options=(ro nosuid nodev bind)         /var/,
   remount options=(ro nosuid nodev noexec bind)  /boot/,
   remount options=(ro nosuid nodev noexec bind)  /dev/mqueue/,
+  remount options=(ro nosuid nodev noexec bind)  /efi/,
   remount options=(ro nosuid noexec bind)        /dev/pts/,
 
   umount /,
diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
index 8dcf6d9a..e17e1ca1 100644
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@@ -30,6 +30,9 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
 
   ptrace (read),
 
+  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-system,
+  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-api-user,
+
   # dbus: own bus=session name=org.freedesktop.systemd1
 
   @{exec_path} mr,