diff options
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/apparmor/abstractions/passt | 1 | ||||
-rw-r--r-- | contrib/apparmor/abstractions/pasta | 5 | ||||
-rw-r--r-- | contrib/apparmor/usr.bin.pasta | 5 |
3 files changed, 8 insertions, 3 deletions
diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt index 6bb25e0..61ec32c 100644 --- a/contrib/apparmor/abstractions/passt +++ b/contrib/apparmor/abstractions/passt @@ -27,6 +27,7 @@ / r, # isolate_prefork(), isolation.c mount options=(rw, runbindable) /, + mount "" -> "/", mount "" -> "/tmp/", pivot_root "/tmp/" -> "/tmp/", umount "/", diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta index a890391..581ad1b 100644 --- a/contrib/apparmor/abstractions/pasta +++ b/contrib/apparmor/abstractions/pasta @@ -27,8 +27,9 @@ @{PROC}/@{pid}/net/udp r, @{PROC}/@{pid}/net/udp6 r, - @{run}/user/@{uid}/netns/* r, # pasta_open_ns(), pasta.c + @{run}/user/@{uid}/** rw, # pasta_open_ns(), main() + @{PROC}/[0-9]*/ns/ r, # pasta_netns_quit_init(), @{PROC}/[0-9]*/ns/net r, # pasta_wait_for_ns(), @{PROC}/[0-9]*/ns/user r, # conf_pasta_ns() @@ -42,3 +43,5 @@ /{usr/,}bin/** Ux, /usr/bin/pasta.avx2 ix, # arch_avx2_exec(), arch.c + + ptrace r, # pasta_open_ns() diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta index e5ee4df..bdfeb71 100644 --- a/contrib/apparmor/usr.bin.pasta +++ b/contrib/apparmor/usr.bin.pasta @@ -19,9 +19,10 @@ profile pasta /usr/bin/pasta{,.avx2} flags=(attach_disconnected) { include <abstractions/pasta> # Alternatively: include <abstractions/user-tmp> - owner /tmp/** w, # tap_sock_unix_init(), pcap(), + /tmp/** rw, # tap_sock_unix_init(), pcap(), # write_pidfile(), - # logfile_init() + # logfile_init(), + # pasta_open_ns() owner @{HOME}/** w, # pcap(), write_pidfile() } |