From b4bcb2f16e61ae8d5a8393e84d092b7940999871 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 13 Nov 2024 13:31:06 +0000
Subject: [PATCH] fix(profile): minor fixes.

---
 apparmor.d/profiles-g-l/ip   | 8 +++++---
 apparmor.d/profiles-s-z/sync | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip
index 56c6f5f5..bcb521c0 100644
--- a/apparmor.d/profiles-g-l/ip
+++ b/apparmor.d/profiles-g-l/ip
@@ -20,11 +20,13 @@ profile ip @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  mount options=(rw, rshared)                       -> @{run}/netns/,
-  mount options=(rw, rslave)                        -> /,
+  mount fstype=sysfs                                -> /sys/,
+  mount options=(rw bind)                         / -> @{run}/netns/*,
+  mount options=(rw rbind)            @{run}/netns/ -> @{run}/netns/,
   mount options=(rw, bind)                  @{att}/ ->  @{run}/netns/*,
   mount options=(rw, bind) /etc/netns/*/resolv.conf -> /etc/resolv.conf,
-  mount fstype=sysfs                                -> /sys/,
+  mount options=(rw, rshared)                       -> @{run}/netns/,
+  mount options=(rw, rslave)                        -> /,
 
   umount @{run}/netns/*,
   umount /sys/,
diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync
index 85a408df..9b47b4df 100644
--- a/apparmor.d/profiles-s-z/sync
+++ b/apparmor.d/profiles-s-z/sync
@@ -14,7 +14,7 @@ profile sync @{exec_path} {
   @{exec_path} mr,
 
   # All paths where sync can be used to flush all write operations on a single file to disk
-  /** rw,
+  /{,**} rw,
 
   include if exists <local/sync>
 }