[PATCH 0/3] Assorted AppArmor policy fixes for passt and pasta
Related to: https://github.com/containers/buildah/issues/5440 https://bugzilla.suse.com/show_bug.cgi?id=1221840 Danish Prakash (1): apparmor: Fix access to procfs namespace entries in pasta's abstraction Stefano Brivio (2): apparmor: Add mount rule with explicit, empty source in passt abstraction apparmor: Expand scope of @{run}/user access, allow writing PID files too contrib/apparmor/abstractions/passt | 1 + contrib/apparmor/abstractions/pasta | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) -- 2.43.0
For the policy to work as expected across either AppArmor commit
9d3f8c6cc05d ("parser: fix parsing of source as mount point for
propagation type flags") and commit 300889c3a4b7 ("parser: fix option
flag processing for single conditional rules"), we need one mount
rule with matching mount options as "source" (that is, without
source), and one without mount options and an explicit, empty source.
Link: https://github.com/containers/buildah/issues/5440
Link: https://bugzilla.suse.com/show_bug.cgi?id=1221840
Signed-off-by: Stefano Brivio
With Podman's custom networks, pasta will typically need to open the
target network namespace at /run/user/<UID>/containers/networks:
grant access to anything under /run/user/<UID> instead of limiting it
to some subpath.
Note that in this case, Podman will need pasta to write out a PID
file, so we need write access, for similar locations, too.
Reported-by: Jörg Sonnenberger
From: Danish Prakash
participants (1)
-
Stefano Brivio