apparmor/profiles/apparmor.d/sbuild-distupgrade

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile sbuild-distupgrade /usr/bin/sbuild-distupgrade flags=(attach_disconnected mediate_deleted) {
  allow all,

  # override default pix
  /usr/bin/unshare ix,

  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/sbuild-distupgrade>
}
add profiles for applications in unconfined mode Adding profiles for applications even if they allow all operations will allow them to be referenced as peer by other policies. This is a step towards a more comprehensive system policy, adding names, instead of just unconfined, to peers of existing policy and to applications that are known to use unprivileged user namespaces. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> 2023-11-22 16:16:38 -03:00			`# This profile allows everything and only exists to give the`
			`# application a name instead of having the label "unconfined"`

			`abi <abi/4.0>,`
			`include <tunables/global>`

profiles: fix sbuild to work with the unprivileged_unshare profile sbuild is an unconfined profile allowing it to by-pass the unprivlieged user namespace restritction. unconfined profiles us a pix transition which means when the unprivileged_unshare profile is enabled, the binaries in an unconfined profile calls unshare it will transition to the unprivileged_unshare profile. This will break sbuild because it needs capabilities within the user namespace. However we can not just add a x transition rule to unconfined profiles, the transitions won't be respected. Instead we have to make the profile a default allow profile, and add a transition that will override the default pix transition of allow all. We have to add the attached_disconnected and mediated_deleted flags because sbuild is manipulating mounts. Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-02-19 16:05:57 -08:00			`profile sbuild-distupgrade /usr/bin/sbuild-distupgrade flags=(attach_disconnected mediate_deleted) {`
			`allow all,`

			`# override default pix`
			`/usr/bin/unshare ix,`

add profiles for applications in unconfined mode Adding profiles for applications even if they allow all operations will allow them to be referenced as peer by other policies. This is a step towards a more comprehensive system policy, adding names, instead of just unconfined, to peers of existing policy and to applications that are known to use unprivileged user namespaces. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> 2023-11-22 16:16:38 -03:00			`userns,`

			`# Site-specific additions and overrides. See local/README for details.`
profiles: convert local include to match profile name The recently added unconfined profiles use the binary name for the local include instead of the profile name. Switch to using the profile name for the local include. Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-11-24 18:52:09 -08:00			`include if exists <local/sbuild-distupgrade>`
add profiles for applications in unconfined mode Adding profiles for applications even if they allow all operations will allow them to be referenced as peer by other policies. This is a step towards a more comprehensive system policy, adding names, instead of just unconfined, to peers of existing policy and to applications that are known to use unprivileged user namespaces. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> 2023-11-22 16:16:38 -03:00			`}`