apparmor: Add mount rule with explicit, empty source in passt abstraction

For the policy to work as expected across either AppArmor commit
9d3f8c6cc05d ("parser: fix parsing of source as mount point for
propagation type flags") and commit 300889c3a4b7 ("parser: fix option
flag processing for single conditional rules"), we need one mount
rule with matching mount options as "source" (that is, without
source), and one without mount options and an explicit, empty source.

Link: https://github.com/containers/buildah/issues/5440
Link: https://bugzilla.suse.com/show_bug.cgi?id=1221840
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio 2024-04-03 19:57:34 +02:00
parent bbea2752f6
commit dc7b7f28b7

View file

@ -27,6 +27,7 @@
/ r, # isolate_prefork(), isolation.c / r, # isolate_prefork(), isolation.c
mount options=(rw, runbindable) /, mount options=(rw, runbindable) /,
mount "" -> "/",
mount "" -> "/tmp/", mount "" -> "/tmp/",
pivot_root "/tmp/" -> "/tmp/", pivot_root "/tmp/" -> "/tmp/",
umount "/", umount "/",