From e2ad420fa268533628c32acab35fb66f187cef39 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Wed, 6 Sep 2023 21:09:47 +0200
Subject: apparmor: Allow read-only access to uid_map

Starting with commit 770d1a4502dd ("isolation: Initially Keep
CAP_SETFCAP if running as UID 0 in non-init"), the lack of this rule
became more apparent as pasta needs to access uid_map in procfs even
as non-root.

However, both passt and pasta needs this, in case they are started as
root, so add this directly to passt's abstraction (which is sourced
by pasta's profile too).

Fixes: 770d1a4502dd ("isolation: Initially Keep CAP_SETFCAP if running as UID 0 in non-init")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/apparmor/abstractions/passt | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'contrib')

diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
index d778222..6bb25e0 100644
--- a/contrib/apparmor/abstractions/passt
+++ b/contrib/apparmor/abstractions/passt
@@ -31,6 +31,8 @@
   pivot_root	"/tmp/" -> "/tmp/",
   umount	"/",
 
+  owner @{PROC}/@{pid}/uid_map		r,	# conf_ugid()
+
   network netlink raw,				# nl_sock_init_do(), netlink.c
 
   network inet stream,				# tcp.c
-- 
cgit v1.2.3