diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 083bb16c..0507fd86 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -31,6 +31,8 @@ include include + # userns, + capability setgid, capability setuid, capability sys_admin, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 1eef0508..ac0ea5a4 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -10,6 +10,8 @@ include profile virtiofsd @{exec_path} { include + # userns, + capability chown, capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns index 94dd1b3e..46b559da 100644 --- a/apparmor.d/profiles-s-z/slirp4netns +++ b/apparmor.d/profiles-s-z/slirp4netns @@ -10,6 +10,8 @@ include profile slirp4netns @{exec_path} flags=(attach_disconnected) { include + # userns, + capability net_admin, capability setpcap, capability sys_admin, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 0a5cd08f..511343b6 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -35,6 +35,8 @@ profile thunderbird @{exec_path} { include include + # userns, + capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 diff --git a/pkg/prebuild/build.go b/pkg/prebuild/build.go index add73dfc..0cdb64c6 100644 --- a/pkg/prebuild/build.go +++ b/pkg/prebuild/build.go @@ -22,11 +22,9 @@ var ( regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`) regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) regProfileHeader = regexp.MustCompile(` {`) - regAbi4To3 = util.ToRegexRepl([]string{ - `abi/4.0`, `abi/3.0`, - `(?m)^.*mqueue.*$`, ``, - `(?m)^.*userns.*$`, ``, - `(?m)^.*io_uring.*$`, ``, + regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4 + `abi/3.0`, `abi/4.0`, + `# userns,`, `userns,`, }) )