aboutgitcodebugslistschat
path: root/contrib/apparmor/abstractions
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2024-04-03 19:57:34 +0200
committerStefano Brivio <sbrivio@redhat.com>2024-04-05 12:12:26 +0200
commitdc7b7f28b7328e17a49022368b6eb543ef1cc33a (patch)
tree46dd3d6ea0fb44ef87a33d8978fe4b2ca9540058 /contrib/apparmor/abstractions
parentbbea2752f681d8c255779d912c9abdc8a7051b6f (diff)
downloadpasst-dc7b7f28b7328e17a49022368b6eb543ef1cc33a.tar
passt-dc7b7f28b7328e17a49022368b6eb543ef1cc33a.tar.gz
passt-dc7b7f28b7328e17a49022368b6eb543ef1cc33a.tar.bz2
passt-dc7b7f28b7328e17a49022368b6eb543ef1cc33a.tar.lz
passt-dc7b7f28b7328e17a49022368b6eb543ef1cc33a.tar.xz
passt-dc7b7f28b7328e17a49022368b6eb543ef1cc33a.tar.zst
passt-dc7b7f28b7328e17a49022368b6eb543ef1cc33a.zip
apparmor: Add mount rule with explicit, empty source in passt abstraction
For the policy to work as expected across either AppArmor commit 9d3f8c6cc05d ("parser: fix parsing of source as mount point for propagation type flags") and commit 300889c3a4b7 ("parser: fix option flag processing for single conditional rules"), we need one mount rule with matching mount options as "source" (that is, without source), and one without mount options and an explicit, empty source. Link: https://github.com/containers/buildah/issues/5440 Link: https://bugzilla.suse.com/show_bug.cgi?id=1221840 Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'contrib/apparmor/abstractions')
-rw-r--r--contrib/apparmor/abstractions/passt1
1 files changed, 1 insertions, 0 deletions
diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
index 6bb25e0..61ec32c 100644
--- a/contrib/apparmor/abstractions/passt
+++ b/contrib/apparmor/abstractions/passt
@@ -27,6 +27,7 @@
/ r, # isolate_prefork(), isolation.c
mount options=(rw, runbindable) /,
+ mount "" -> "/",
mount "" -> "/tmp/",
pivot_root "/tmp/" -> "/tmp/",
umount "/",
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-05 06:06:31 +0000