diff --git a/profiles/apparmor.d/sbuild b/profiles/apparmor.d/sbuild index 1b9bae999..28f3e41d7 100644 --- a/profiles/apparmor.d/sbuild +++ b/profiles/apparmor.d/sbuild @@ -4,9 +4,14 @@ abi , include -profile sbuild /usr/bin/sbuild flags=(unconfined) { +profile sbuild /usr/bin/sbuild flags=(attach_disconnected mediate_deleted) { + allow all, + userns, + # override default pix + /usr/bin/unshare ix, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/sbuild-abort b/profiles/apparmor.d/sbuild-abort index b147d5b3b..77b60db3f 100644 --- a/profiles/apparmor.d/sbuild-abort +++ b/profiles/apparmor.d/sbuild-abort @@ -4,7 +4,12 @@ abi , include -profile sbuild-abort /usr/bin/sbuild-abort flags=(unconfined) { +profile sbuild-abort /usr/bin/sbuild-abort flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-adduser b/profiles/apparmor.d/sbuild-adduser index a7f1322ba..bb67c50e7 100644 --- a/profiles/apparmor.d/sbuild-adduser +++ b/profiles/apparmor.d/sbuild-adduser @@ -4,7 +4,12 @@ abi , include -profile sbuild-adduser /usr/sbin/sbuild-adduser flags=(unconfined) { +profile sbuild-adduser /usr/sbin/sbuild-adduser flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-apt b/profiles/apparmor.d/sbuild-apt index 0257e4574..f50fc4f3b 100644 --- a/profiles/apparmor.d/sbuild-apt +++ b/profiles/apparmor.d/sbuild-apt @@ -4,7 +4,12 @@ abi , include -profile sbuild-apt /usr/bin/sbuild-apt flags=(unconfined) { +profile sbuild-apt /usr/bin/sbuild-apt flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-checkpackages b/profiles/apparmor.d/sbuild-checkpackages index aa52207eb..c4f8812d1 100644 --- a/profiles/apparmor.d/sbuild-checkpackages +++ b/profiles/apparmor.d/sbuild-checkpackages @@ -4,7 +4,12 @@ abi , include -profile sbuild-checkpackages /usr/bin/sbuild-checkpackages flags=(unconfined) { +profile sbuild-checkpackages /usr/bin/sbuild-checkpackages flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-clean b/profiles/apparmor.d/sbuild-clean index c2ecc9cf7..eca646a51 100644 --- a/profiles/apparmor.d/sbuild-clean +++ b/profiles/apparmor.d/sbuild-clean @@ -4,7 +4,12 @@ abi , include -profile sbuild-clean /usr/bin/sbuild-clean flags=(unconfined) { +profile sbuild-clean /usr/bin/sbuild-clean flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-createchroot b/profiles/apparmor.d/sbuild-createchroot index e58b130c3..85ffa3ed6 100644 --- a/profiles/apparmor.d/sbuild-createchroot +++ b/profiles/apparmor.d/sbuild-createchroot @@ -4,7 +4,12 @@ abi , include -profile sbuild-createchroot /usr/bin/sbuild-createchroot flags=(unconfined) { +profile sbuild-createchroot /usr/bin/sbuild-createchroot flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-destroychroot b/profiles/apparmor.d/sbuild-destroychroot index 217809723..7232c2ce6 100644 --- a/profiles/apparmor.d/sbuild-destroychroot +++ b/profiles/apparmor.d/sbuild-destroychroot @@ -4,7 +4,12 @@ abi , include -profile sbuild-destroychroot /usr/sbin/sbuild-destroychroot flags=(unconfined) { +profile sbuild-destroychroot /usr/sbin/sbuild-destroychroot flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-distupgrade b/profiles/apparmor.d/sbuild-distupgrade index c5c6f7dfd..8df44146f 100644 --- a/profiles/apparmor.d/sbuild-distupgrade +++ b/profiles/apparmor.d/sbuild-distupgrade @@ -4,7 +4,12 @@ abi , include -profile sbuild-distupgrade /usr/bin/sbuild-distupgrade flags=(unconfined) { +profile sbuild-distupgrade /usr/bin/sbuild-distupgrade flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-hold b/profiles/apparmor.d/sbuild-hold index 7f592f1cc..0a07994ec 100644 --- a/profiles/apparmor.d/sbuild-hold +++ b/profiles/apparmor.d/sbuild-hold @@ -4,7 +4,12 @@ abi , include -profile sbuild-hold /usr/bin/sbuild-hold flags=(unconfined) { +profile sbuild-hold /usr/bin/sbuild-hold flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-shell b/profiles/apparmor.d/sbuild-shell index be97320fd..d93b70e6d 100644 --- a/profiles/apparmor.d/sbuild-shell +++ b/profiles/apparmor.d/sbuild-shell @@ -4,7 +4,12 @@ abi , include -profile sbuild-shell /usr/bin/sbuild-shell flags=(unconfined) { +profile sbuild-shell /usr/bin/sbuild-shell flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-unhold b/profiles/apparmor.d/sbuild-unhold index c06f56deb..13c009633 100644 --- a/profiles/apparmor.d/sbuild-unhold +++ b/profiles/apparmor.d/sbuild-unhold @@ -4,7 +4,12 @@ abi , include -profile sbuild-unhold /usr/bin/sbuild-unhold flags=(unconfined) { +profile sbuild-unhold /usr/bin/sbuild-unhold flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-update b/profiles/apparmor.d/sbuild-update index dcca130df..764c11e26 100644 --- a/profiles/apparmor.d/sbuild-update +++ b/profiles/apparmor.d/sbuild-update @@ -4,7 +4,12 @@ abi , include -profile sbuild-update /usr/bin/sbuild-update flags=(unconfined) { +profile sbuild-update /usr/bin/sbuild-update flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-upgrade b/profiles/apparmor.d/sbuild-upgrade index be154b03e..3ee9d328a 100644 --- a/profiles/apparmor.d/sbuild-upgrade +++ b/profiles/apparmor.d/sbuild-upgrade @@ -4,7 +4,12 @@ abi , include -profile sbuild-upgrade /usr/bin/sbuild-upgrade flags=(unconfined) { +profile sbuild-upgrade /usr/bin/sbuild-upgrade flags=(attach_disconnected mediate_deleted) { + allow all, + + # override default pix + /usr/bin/unshare ix, + userns, # Site-specific additions and overrides. See local/README for details.