From 100919ce745b987f57c8eb24e55e576c530d2be5 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Wed, 3 Apr 2024 20:12:47 +0200
Subject: apparmor: Expand scope of @{run}/user access, allow writing PID files
 too
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With Podman's custom networks, pasta will typically need to open the
target network namespace at /run/user/<UID>/containers/networks:
grant access to anything under /run/user/<UID> instead of limiting it
to some subpath.

Note that in this case, Podman will need pasta to write out a PID
file, so we need write access, for similar locations, too.

Reported-by: Jörg Sonnenberger <joerg@bec.de>
Link: https://github.com/containers/buildah/issues/5440
Link: https://bugzilla.suse.com/show_bug.cgi?id=1221840
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/apparmor/abstractions/pasta | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta
index a890391..060caab 100644
--- a/contrib/apparmor/abstractions/pasta
+++ b/contrib/apparmor/abstractions/pasta
@@ -27,7 +27,7 @@
   @{PROC}/@{pid}/net/udp		r,
   @{PROC}/@{pid}/net/udp6		r,
 
-  @{run}/user/@{uid}/netns/*		r,	# pasta_open_ns(), pasta.c
+  @{run}/user/@{uid}/**			rw,	# pasta_open_ns(), main()
 
   @{PROC}/[0-9]*/ns/net			r,	# pasta_wait_for_ns(),
   @{PROC}/[0-9]*/ns/user		r,	# conf_pasta_ns()
-- 
cgit v1.2.3