diff options
Diffstat (limited to 'contrib/apparmor/usr.bin.passt')
| -rw-r--r-- | contrib/apparmor/usr.bin.passt | 12 |
1 files changed, 2 insertions, 10 deletions
diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt index 652051d..564f82f 100644 --- a/contrib/apparmor/usr.bin.passt +++ b/contrib/apparmor/usr.bin.passt @@ -6,7 +6,7 @@ # PASTA - Pack A Subtle Tap Abstraction # for network namespace/tap device mode # -# contrib/apparmor/usr.bin.passt - AppArmor profile for passt(1) and pasta(1) +# contrib/apparmor/usr.bin.passt - AppArmor profile for passt(1) # # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio <sbrivio@redhat.com> @@ -15,13 +15,7 @@ abi <abi/3.0>, include <tunables/global> -profile passt /usr/bin/passt{,.avx2} flags=(attach_disconnected) { - ### TODO: AppArmor doesn't give us the chance to attach a separate profile - ### depending on the executable symlink. That's possible with SELinux. Two - ### alternatives: implement that in AppArmor, or consider aa_change_hat(2). - ### With this, rules for passt(1) could be restricted significantly. Note that - ### the attach_disconnected flag is not needed for passt(1). - +profile passt /usr/bin/passt{,.avx2} { include <abstractions/passt> # Alternatively: include <abstractions/user-tmp> @@ -30,6 +24,4 @@ profile passt /usr/bin/passt{,.avx2} flags=(attach_disconnected) { # logfile_init() owner @{HOME}/** w, # pcap(), write_pidfile() - - include <abstractions/pasta> } |