feat(profile): improve rootless container support

See: #101
2025-01-18 00:48:10 +01:00 · 2023-04-24 15:43:19 +01:00 · 2023-04-24 15:43:19 +01:00 · a4dd6d52cd
commit a4dd6d52cd
parent 9afb6b93ef
1 changed files with 6 additions and 4 deletions
--- a/apparmor.d/profiles-s-z/slirp4netns
+++ b/apparmor.d/profiles-s-z/slirp4netns
@ -19,18 +19,20 @@ profile slirp4netns @{exec_path} flags=(attach_disconnected) {
  network inet dgram,
  network inet6 dgram,

-  mount options=(rw, make-slave) -> **,
-  mount options=(rw, make-rslave) -> **,
-  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> **,
+  # TODO: Restrict this a bit
+  mount,
  umount,

+  pivot_root oldroot=/tmp/old/ -> /tmp/,
+
  @{exec_path} mr,

  /tmp/{,**} rw,
  /old/ rw,

-  owner @{run}/user/@{uid}/libpod/tmp/slirp4netns-*.log r,
+        @{run}/user/@{uid}/netns-@{uid} r,
        @{run}/user/@{uid}/netns/cni-* r,
+  owner @{run}/user/@{uid}/libpod/tmp/slirp4netns-*.log r,

  pivot_root /tmp/**,
  pivot_root /tmp/old/,