From 532162f30253491d58bf05fde0b778f9244c9479 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Mar 2024 12:55:32 +0000 Subject: [PATCH] feat(abs): improve mount rule for bwrap. --- apparmor.d/abstractions/bwrap | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap index 391c374a..192cf5b7 100644 --- a/apparmor.d/abstractions/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -13,14 +13,16 @@ network netlink raw, - mount options=(rw rbind) /oldroot/{,**/} -> /newroot/{,**/}, - mount options=(rw silent rprivate) -> /oldroot/, - mount options=(rw silent rslave) -> /, - mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/, - mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/dev/, - mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/, + mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/, + mount options=(rw rbind) /oldroot/{,**} -> /newroot/{,**}, + mount options=(rw silent rprivate) -> /oldroot/, + mount options=(rw silent rslave) -> /, + mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/, + mount fstype=proc options=(rw nosuid nodev noexec) proc -> /newroot/@{PROC}/, + mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/dev/, + mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/, - remount /newroot/{,**/}, + remount /newroot/{,**}, umount /, umount /oldroot/, @@ -29,8 +31,7 @@ pivot_root oldroot=/tmp/oldroot/ /tmp/, owner / r, - owner /newroot/**/ w, - owner /newroot/dev/* w, + owner /newroot/{,**} w, owner /tmp/newroot/ w, owner /tmp/oldroot/ w,