passt/contrib/apparmor/abstractions/passt

# SPDX-License-Identifier: GPL-2.0-or-later
#
# PASST - Plug A Simple Socket Transport
#  for qemu/UNIX domain socket mode
#
# PASTA - Pack A Subtle Tap Abstraction
#  for network namespace/tap device mode
#
# contrib/apparmor/abstractions/passt - Abstraction for passt(1)
#
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>

  abi <abi/3.0>,

  include <abstractions/base>

  include <abstractions/nameservice>		# get_dns(), conf.c

  capability net_bind_service,			# isolation.c, conf.c
  capability setuid,
  capability setgid,
  capability sys_admin,
  capability setpcap,
  capability net_admin,
  capability sys_ptrace,

  /					r,	# isolate_prefork(), isolation.c
  mount options=(rw, runbindable) /,
  mount		""	-> "/",
  mount		""	-> "/tmp/",
  pivot_root	"/tmp/" -> "/tmp/",
  umount	"/",

  owner @{PROC}/@{pid}/uid_map		r,	# conf_ugid()

  network netlink raw,				# nl_sock_init_do(), netlink.c

  network inet stream,				# tcp.c
  network inet6 stream,

  network inet dgram,				# udp.c
  network inet6 dgram,

  network unix stream,				# tap.c

  network unix dgram,				# __openlog(), log.c

  /usr/bin/passt.avx2			ix,	# arch_avx2_exec(), arch.c