mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
2594d936ad
Adding profiles for applications even if they allow all operations will allow them to be referenced as peer by other policies. This is a step towards a more comprehensive system policy, adding names, instead of just unconfined, to peers of existing policy and to applications that are known to use unprivileged user namespaces. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
12 lines
362 B
Text
12 lines
362 B
Text
# This profile allows everything and only exists to give the
|
|
# application a name instead of having the label "unconfined"
|
|
|
|
abi <abi/4.0>,
|
|
include <tunables/global>
|
|
|
|
profile lxc-unshare /usr/bin/lxc-unshare flags=(unconfined) {
|
|
userns,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/usr.bin.lxc-unshare>
|
|
}
|