mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(abs): improve mount rule for bwrap.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-03-04 12:55:32 +00:00
parent f1b01d03cd
commit 532162f302
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
1 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
apparmor.d/abstractions/bwrap
View File

@ -13,14 +13,16 @@
network netlink raw,
mount options=(rw rbind) /oldroot/{,**/} -> /newroot/{,**/},
mount options=(rw silent rprivate) -> /oldroot/,
mount options=(rw silent rslave) -> /,
mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/,
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/dev/,
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/,
mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/,
mount options=(rw rbind) /oldroot/{,**} -> /newroot/{,**},
mount options=(rw silent rprivate) -> /oldroot/,
mount options=(rw silent rslave) -> /,
mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/,
mount fstype=proc options=(rw nosuid nodev noexec) proc -> /newroot/@{PROC}/,
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/dev/,
mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/,
remount /newroot/{,**/},
remount /newroot/{,**},
umount /,
umount /oldroot/,
@ -29,8 +31,7 @@
pivot_root oldroot=/tmp/oldroot/ /tmp/,
owner / r,
owner /newroot/**/ w,
owner /newroot/dev/* w,
owner /newroot/{,**} w,
owner /tmp/newroot/ w,
owner /tmp/oldroot/ w,