sbuild is an unconfined profile allowing it to by-pass the unprivlieged
user namespace restritction.
unconfined profiles us a pix transition which means when the
unprivileged_unshare profile is enabled, the binaries in an unconfined
profile calls unshare it will transition to the unprivileged_unshare
profile.
This will break sbuild because it needs capabilities within the
user namespace.
However we can not just add a x transition rule to unconfined profiles,
the transitions won't be respected. Instead we have to make the profile
a default allow profile, and add a transition that will override
the default pix transition of allow all.
We have to add the attached_disconnected and mediated_deleted flags
because sbuild is manipulating mounts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Rename the "check-extras" target to "check-local" as it is no longer
limited to the extra profiles, and also fix a local include in the
sbuild-shell profile so that it passes the newly-applied CI check.
Adding profiles for applications even if they allow all operations
will allow them to be referenced as peer by other policies. This is a
step towards a more comprehensive system policy, adding names, instead
of just unconfined, to peers of existing policy and to applications
that are known to use unprivileged user namespaces.
Note that unconfined mode should be changed for default_allow
when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is
merged.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
