Starting with commit 770d1a4502dd ("isolation: Initially Keep
CAP_SETFCAP if running as UID 0 in non-init"), the lack of this rule
became more apparent as pasta needs to access uid_map in procfs even
as non-root.
However, both passt and pasta needs this, in case they are started as
root, so add this directly to passt's abstraction (which is sourced
by pasta's profile too).
Fixes: 770d1a4502dd ("isolation: Initially Keep CAP_SETFCAP if running as UID 0 in
non-init")
Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
contrib/apparmor/abstractions/passt | 2 ++
1 file changed, 2 insertions(+)
diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
index d778222..6bb25e0 100644
--- a/contrib/apparmor/abstractions/passt
+++ b/contrib/apparmor/abstractions/passt
@@ -31,6 +31,8 @@
pivot_root "/tmp/" -> "/tmp/",
umount "/",
+ owner @{PROC}/@{pid}/uid_map r, # conf_ugid()
+
network netlink raw, # nl_sock_init_do(), netlink.c
network inet stream, # tcp.c
--
2.39.2