feat(abs): cleanup bwrap mount rule as it is not maintainable to restrict more.

2025-01-18 17:08:09 +01:00 · 2024-03-03 23:11:27 +00:00 · 2024-03-03 23:11:27 +00:00 · b91cf4da41
commit b91cf4da41
parent 0ffa51aca4
1 changed files with 7 additions and 44 deletions
--- a/apparmor.d/abstractions/bwrap
+++ b/apparmor.d/abstractions/bwrap
@ -13,51 +13,14 @@

  network netlink raw,

-  mount               options=(rw rbind)                          /oldroot/ -> /newroot/,
-  mount               options=(rw rbind)            /oldroot/dev/{,u}random -> /newroot/dev/{,u}random,
-  mount               options=(rw rbind)                      /tmp/newroot/ -> /tmp/newroot/,
-  mount               options=(rw rbind)                   /oldroot/dev/tty -> /newroot/dev/tty,
-  mount               options=(rw rbind)            /oldroot/dev/pts/@{int} -> /newroot/dev/console,
-  mount               options=(rw silent rprivate)                          -> /oldroot/,
-  mount               options=(rw silent rslave)                            -> /,
-  mount fstype=devpts options=(rw nosuid noexec)                     devpts -> /newroot/dev/pts/,
-  mount fstype=tmpfs  options=(rw nosuid nodev)                       tmpfs -> /newroot/dev/,
-  mount fstype=tmpfs  options=(rw nosuid nodev)                       tmpfs -> /tmp/,
+  mount               options=(rw rbind)            /oldroot/{,**/} -> /newroot/{,**/},
+  mount               options=(rw silent rprivate)                  -> /oldroot/,
+  mount               options=(rw silent rslave)                    -> /,
+  mount fstype=devpts options=(rw nosuid noexec)             devpts -> /newroot/dev/pts/,
+  mount fstype=tmpfs  options=(rw nosuid nodev)               tmpfs -> /newroot/dev/,
+  mount fstype=tmpfs  options=(rw nosuid nodev)               tmpfs -> /tmp/,

-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/,
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{HOME}/**/,
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{PROC}/sys/fs/binfmt_misc/,
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{run}/,
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{run}/user/@{uid}/,
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{run}/user/@{uid}/doc/,
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{run}/user/@{uid}/gvfs/,
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/@{sys}/fs/cgroup/net_cls/,
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/dev/,
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/dev/hugepages/,
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/efi/, 
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/tmp/,
-  remount options=(ro nosuid nodev bind silent relatime)         /newroot/var/,
-  remount options=(ro nosuid nodev bind silent)                  /newroot/dev/,
-  remount options=(ro nosuid nodev bind silent)                  /newroot/dev/shm/,
-  remount options=(ro nosuid nodev bind silent)                  /newroot/tmp/,
-  remount options=(ro nosuid nodev noatime bind silent)          /newroot/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{PROC}/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/firmware/efi/efivars/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/fs/bpf/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/fs/cgroup/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/fs/fuse/connections/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/fs/pstore/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/kernel/config/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/kernel/debug/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/kernel/security/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/@{sys}/kernel/tracing/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/boot/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/dev/mqueue/,
-  remount options=(ro nosuid nodev noexec bind silent relatime)  /newroot/dev/pts/,
-  remount options=(ro nosuid nodev noexec bind silent)           /newroot/@{run}/,
-  remount options=(ro nosuid nodev noexec noatime bind silent)   /newroot/@{HOME}/{,**/},
-  remount options=(ro nosuid nodev noexec noatime bind silent)   /newroot/@{MOUNTS}/{,**/},
+  remount /newroot/{,**/},

  umount /,
  umount /oldroot/,