mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 00:14:44 +01:00
7abfc1baf7
sbuild is an unconfined profile allowing it to by-pass the unprivlieged user namespace restritction. unconfined profiles us a pix transition which means when the unprivileged_unshare profile is enabled, the binaries in an unconfined profile calls unshare it will transition to the unprivileged_unshare profile. This will break sbuild because it needs capabilities within the user namespace. However we can not just add a x transition rule to unconfined profiles, the transitions won't be respected. Instead we have to make the profile a default allow profile, and add a transition that will override the default pix transition of allow all. We have to add the attached_disconnected and mediated_deleted flags because sbuild is manipulating mounts. Signed-off-by: John Johansen <john.johansen@canonical.com>
17 lines
445 B
Text
17 lines
445 B
Text
# This profile allows everything and only exists to give the
|
|
# application a name instead of having the label "unconfined"
|
|
|
|
abi <abi/4.0>,
|
|
include <tunables/global>
|
|
|
|
profile sbuild-clean /usr/bin/sbuild-clean flags=(attach_disconnected mediate_deleted) {
|
|
allow all,
|
|
|
|
# override default pix
|
|
/usr/bin/unshare ix,
|
|
|
|
userns,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/sbuild-clean>
|
|
}
|