mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 00:14:44 +01:00
7abfc1baf7
sbuild is an unconfined profile allowing it to by-pass the unprivlieged user namespace restritction. unconfined profiles us a pix transition which means when the unprivileged_unshare profile is enabled, the binaries in an unconfined profile calls unshare it will transition to the unprivileged_unshare profile. This will break sbuild because it needs capabilities within the user namespace. However we can not just add a x transition rule to unconfined profiles, the transitions won't be respected. Instead we have to make the profile a default allow profile, and add a transition that will override the default pix transition of allow all. We have to add the attached_disconnected and mediated_deleted flags because sbuild is manipulating mounts. Signed-off-by: John Johansen <john.johansen@canonical.com> |
||
|---|---|---|
| .. | ||
| apparmor/profiles/extras | ||
| apparmor.d | ||
| Makefile | ||