From c157eb0cb6a823b1ce0755de271de0333007b7bf Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 6 Feb 2025 10:42:12 -0800
Subject: [PATCH] profiles: fix unshare for deleted files

Unfortunately similar to bwrap unshare will need the mediate_deleted
flag in some cases.

see
  commit 6488e1fb7 "profiles: add mediate_deleted to bwrap"

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 profiles/apparmor/profiles/extras/unshare-userns-restrict | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/profiles/apparmor/profiles/extras/unshare-userns-restrict b/profiles/apparmor/profiles/extras/unshare-userns-restrict
index 9d9777ca3..ea19c05f8 100644
--- a/profiles/apparmor/profiles/extras/unshare-userns-restrict
+++ b/profiles/apparmor/profiles/extras/unshare-userns-restrict
@@ -17,7 +17,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile unshare /usr/bin/unshare flags=(attach_disconnected) {
+profile unshare /usr/bin/unshare flags=(attach_disconnected mediate_deleted) {
   # not allow all, to allow for cix transition
   # and to limit executable mapping to just unshare
   allow capability,
@@ -43,7 +43,7 @@ profile unshare /usr/bin/unshare flags=(attach_disconnected) {
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/unshare-userns-restrict>
 
-  profile unpriv flags=(attach_disconnected) {
+  profile unpriv flags=(attach_disconnected mediate_deleted) {
     # not allow all, to allow for pix stack
     allow file rwlkm /{**,},
     allow network,