diff options
| author | Stefano Brivio <sbrivio@redhat.com> | 2023-09-06 21:09:47 +0200 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2023-09-07 00:31:35 +0200 |
| commit | e2ad420fa268533628c32acab35fb66f187cef39 (patch) | |
| tree | 4da9e2382ac7d1545c2da77419ef73ce135b5a8b /contrib/apparmor/abstractions | |
| parent | b686afa23e85321f9e376b2aeddddb6e70adc22b (diff) | |
| download | passt-e2ad420fa268533628c32acab35fb66f187cef39.tar passt-e2ad420fa268533628c32acab35fb66f187cef39.tar.gz passt-e2ad420fa268533628c32acab35fb66f187cef39.tar.bz2 passt-e2ad420fa268533628c32acab35fb66f187cef39.tar.lz passt-e2ad420fa268533628c32acab35fb66f187cef39.tar.xz passt-e2ad420fa268533628c32acab35fb66f187cef39.tar.zst passt-e2ad420fa268533628c32acab35fb66f187cef39.zip | |
apparmor: Allow read-only access to uid_map
Starting with commit 770d1a4502dd ("isolation: Initially Keep
CAP_SETFCAP if running as UID 0 in non-init"), the lack of this rule
became more apparent as pasta needs to access uid_map in procfs even
as non-root.
However, both passt and pasta needs this, in case they are started as
root, so add this directly to passt's abstraction (which is sourced
by pasta's profile too).
Fixes: 770d1a4502dd ("isolation: Initially Keep CAP_SETFCAP if running as UID 0 in non-init")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'contrib/apparmor/abstractions')
| -rw-r--r-- | contrib/apparmor/abstractions/passt | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt index d778222..6bb25e0 100644 --- a/contrib/apparmor/abstractions/passt +++ b/contrib/apparmor/abstractions/passt @@ -31,6 +31,8 @@ pivot_root "/tmp/" -> "/tmp/", umount "/", + owner @{PROC}/@{pid}/uid_map r, # conf_ugid() + network netlink raw, # nl_sock_init_do(), netlink.c network inet stream, # tcp.c |