apparmor: Allow pasta to remount /proc, access entries under its own copy
Since commitb0e450aa85("pasta: Detach mount namespace, (re)mount procfs before spawning command"), we need to explicitly permit mount of /proc, and access to entries under /proc/PID/net (after remount, that's what AppArmor sees as path). Fixes:b0e450aa85("pasta: Detach mount namespace, (re)mount procfs before spawning command") Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio
parent
e2ad420fa2
commit
abf5ef6c22
1 changed files with 7 additions and 0 deletions
|
|
@ -15,11 +15,18 @@
|
||||||
|
|
||||||
include <abstractions/passt>
|
include <abstractions/passt>
|
||||||
|
|
||||||
|
mount "" -> "/proc/",
|
||||||
|
|
||||||
@{PROC}/net/tcp r, # procfs_scan_listen(), util.c
|
@{PROC}/net/tcp r, # procfs_scan_listen(), util.c
|
||||||
@{PROC}/net/tcp6 r,
|
@{PROC}/net/tcp6 r,
|
||||||
@{PROC}/net/udp r,
|
@{PROC}/net/udp r,
|
||||||
@{PROC}/net/udp6 r,
|
@{PROC}/net/udp6 r,
|
||||||
|
|
||||||
|
@{PROC}/@{pid}/net/tcp r, # procfs_scan_listen(), util.c
|
||||||
|
@{PROC}/@{pid}/net/tcp6 r,
|
||||||
|
@{PROC}/@{pid}/net/udp r,
|
||||||
|
@{PROC}/@{pid}/net/udp6 r,
|
||||||
|
|
||||||
@{run}/user/@{uid}/netns/* r, # pasta_open_ns(), pasta.c
|
@{run}/user/@{uid}/netns/* r, # pasta_open_ns(), pasta.c
|
||||||
|
|
||||||
@{PROC}/[0-9]*/ns/net r, # pasta_wait_for_ns(),
|
@{PROC}/[0-9]*/ns/net r, # pasta_wait_for_ns(),
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue