-
Notifications
You must be signed in to change notification settings - Fork 38
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
use upstream recommended bwrap apparmor profile
- Loading branch information
1 parent
475e2b3
commit f21c7e6
Showing
3 changed files
with
69 additions
and
10 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| # This profile allows almost everything and only exists to allow | ||
| # bwrap to work on a system with user namespace restrictions | ||
| # being enforced. | ||
| # bwrap is allowed access to user namespaces and capabilities | ||
| # within the user namespace, but its children do not have | ||
| # capabilities, blocking bwrap from being able to be used to | ||
| # arbitrarily by-pass the user namespace restrictions. | ||
| # | ||
| # Note: the bwrap child is stacked against the bwrap profile due to | ||
| # bwraps use of no-new-privs | ||
|
|
||
| # disabled by default as it can break some use cases on a system that | ||
| # doesn't have or has disable user namespace restrictions for unconfined | ||
| # use aa-enforce to enable it | ||
|
|
||
| abi <abi/4.0>, | ||
|
|
||
| include <tunables/global> | ||
|
|
||
| profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) { | ||
| allow capability, | ||
| # not allow all, to allow for pix stack | ||
| # sadly we have to allow m every where to allow children to work under | ||
| # stacking. | ||
| allow file rwlkm /{**,}, | ||
| allow network, | ||
| allow unix, | ||
| allow ptrace, | ||
| allow signal, | ||
| allow mqueue, | ||
| allow io_uring, | ||
| allow userns, | ||
| allow mount, | ||
| allow umount, | ||
| allow pivot_root, | ||
| allow dbus, | ||
| allow px /** -> bwrap//&unpriv_bwrap, | ||
|
|
||
| # the local include should not be used without understanding the userns | ||
| # restriction. | ||
| # Site-specific additions and overrides. See local/README for details. | ||
| include if exists <local/bwrap-userns-restrict> | ||
| } | ||
|
|
||
| profile unpriv_bwrap flags=(attach_disconnected,mediate_deleted) { | ||
| # not allow all, to allow for pix stack | ||
| allow file rwlkm /{**,}, | ||
| allow network, | ||
| allow unix, | ||
| allow ptrace, | ||
| allow signal, | ||
| allow mqueue, | ||
| allow io_uring, | ||
| allow userns, | ||
| allow mount, | ||
| allow umount, | ||
| allow pivot_root, | ||
| allow dbus, | ||
|
|
||
| allow pix /** -> &unpriv_bwrap, | ||
|
|
||
| audit deny capability, | ||
|
|
||
| # the local include should not be used without understanding the userns | ||
| # restriction. | ||
| # Site-specific additions and overrides. See local/README for details. | ||
| include if exists <local/unpriv_bwrap> | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters