diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap index 7ce6a7b2..391c374a 100644 --- a/apparmor.d/abstractions/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -13,51 +13,14 @@ network netlink raw, - mount options=(rw rbind) /oldroot/ -> /newroot/, - mount options=(rw rbind) /oldroot/dev/{,u}random -> /newroot/dev/{,u}random, - mount options=(rw rbind) /tmp/newroot/ -> /tmp/newroot/, - mount options=(rw rbind) /oldroot/dev/tty -> /newroot/dev/tty, - mount options=(rw rbind) /oldroot/dev/pts/@{int} -> /newroot/dev/console, - mount options=(rw silent rprivate) -> /oldroot/, - mount options=(rw silent rslave) -> /, - mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/, - mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/dev/, - mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/, + mount options=(rw rbind) /oldroot/{,**/} -> /newroot/{,**/}, + mount options=(rw silent rprivate) -> /oldroot/, + mount options=(rw silent rslave) -> /, + mount fstype=devpts options=(rw nosuid noexec) devpts -> /newroot/dev/pts/, + mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /newroot/dev/, + mount fstype=tmpfs options=(rw nosuid nodev) tmpfs -> /tmp/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/@{HOME}/**/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/@{PROC}/sys/fs/binfmt_misc/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/@{run}/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/@{run}/user/@{uid}/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/@{run}/user/@{uid}/doc/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/@{run}/user/@{uid}/gvfs/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/@{sys}/fs/cgroup/net_cls/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/dev/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/dev/hugepages/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/efi/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/tmp/, - remount options=(ro nosuid nodev bind silent relatime) /newroot/var/, - remount options=(ro nosuid nodev bind silent) /newroot/dev/, - remount options=(ro nosuid nodev bind silent) /newroot/dev/shm/, - remount options=(ro nosuid nodev bind silent) /newroot/tmp/, - remount options=(ro nosuid nodev noatime bind silent) /newroot/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{PROC}/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/firmware/efi/efivars/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/fs/bpf/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/fs/cgroup/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/fs/fuse/connections/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/fs/pstore/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/kernel/config/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/kernel/debug/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/kernel/security/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/@{sys}/kernel/tracing/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/boot/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/dev/mqueue/, - remount options=(ro nosuid nodev noexec bind silent relatime) /newroot/dev/pts/, - remount options=(ro nosuid nodev noexec bind silent) /newroot/@{run}/, - remount options=(ro nosuid nodev noexec noatime bind silent) /newroot/@{HOME}/{,**/}, - remount options=(ro nosuid nodev noexec noatime bind silent) /newroot/@{MOUNTS}/{,**/}, + remount /newroot/{,**/}, umount /, umount /oldroot/,