From a4dd6d52cd40e228fe3e228e824b5aedb5d35dfe Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 24 Apr 2023 15:43:19 +0100
Subject: [PATCH] feat(profile): improve rootless container support

See: #101
---
 apparmor.d/profiles-s-z/slirp4netns | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns
index d662ee80..c2f3d6b2 100644
--- a/apparmor.d/profiles-s-z/slirp4netns
+++ b/apparmor.d/profiles-s-z/slirp4netns
@@ -19,18 +19,20 @@ profile slirp4netns @{exec_path} flags=(attach_disconnected) {
   network inet dgram,
   network inet6 dgram,
 
-  mount options=(rw, make-slave) -> **,
-  mount options=(rw, make-rslave) -> **,
-  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> **,
+  # TODO: Restrict this a bit
+  mount,
   umount,
 
+  pivot_root oldroot=/tmp/old/ -> /tmp/,
+
   @{exec_path} mr,
 
   /tmp/{,**} rw,
   /old/ rw,
 
-  owner @{run}/user/@{uid}/libpod/tmp/slirp4netns-*.log r,
+        @{run}/user/@{uid}/netns-@{uid} r,
         @{run}/user/@{uid}/netns/cni-* r,
+  owner @{run}/user/@{uid}/libpod/tmp/slirp4netns-*.log r,
 
   pivot_root /tmp/**,
   pivot_root /tmp/old/,