mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge profiles: fix unshare for deleted files

Browse source 
Unfortunately similar to bwrap unshare will need the mediate_deleted
flag in some cases.

see
  commit 6488e1fb7 "profiles: add mediate_deleted to bwrap"

Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1521
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Ryan Lee <rlee287@yahoo.com>
This commit is contained in:
Ryan Lee 2025-02-06 19:44:21 +00:00
commit b5b1944f58
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
profiles/apparmor/profiles/extras/unshare-userns-restrict
View file

@ -17,7 +17,7 @@ abi <abi/4.0>,
include <tunables/global>
profile unshare /usr/bin/unshare flags=(attach_disconnected) {
profile unshare /usr/bin/unshare flags=(attach_disconnected mediate_deleted) {
# not allow all, to allow for cix transition
# and to limit executable mapping to just unshare
allow capability,
@ -43,7 +43,7 @@ profile unshare /usr/bin/unshare flags=(attach_disconnected) {
# Site-specific additions and overrides. See local/README for details.
include if exists <local/unshare-userns-restrict>
profile unpriv flags=(attach_disconnected) {
profile unpriv flags=(attach_disconnected mediate_deleted) {
# not allow all, to allow for pix stack
allow file rwlkm /{**,},
allow network,