mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

profiles: fix unshare for deleted files

Browse source 
Unfortunately similar to bwrap unshare will need the mediate_deleted
flag in some cases.

see
  commit 6488e1fb7 "profiles: add mediate_deleted to bwrap"

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2025-02-06 10:42:12 -08:00
parent 002bf1339c
commit c157eb0cb6
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
profiles/apparmor/profiles/extras/unshare-userns-restrict
View file

@ -17,7 +17,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
profile unshare /usr/bin/unshare flags=(attach_disconnected) { profile unshare /usr/bin/unshare flags=(attach_disconnected mediate_deleted) {
# not allow all, to allow for cix transition # not allow all, to allow for cix transition
# and to limit executable mapping to just unshare # and to limit executable mapping to just unshare
allow capability, allow capability,
@ -43,7 +43,7 @@ profile unshare /usr/bin/unshare flags=(attach_disconnected) {
# Site-specific additions and overrides. See local/README for details. # Site-specific additions and overrides. See local/README for details.
include if exists <local/unshare-userns-restrict> include if exists <local/unshare-userns-restrict>
profile unpriv flags=(attach_disconnected) { profile unpriv flags=(attach_disconnected mediate_deleted) {
# not allow all, to allow for pix stack # not allow all, to allow for pix stack
allow file rwlkm /{**,}, allow file rwlkm /{**,},
allow network, allow network,