blob: 62a771c056972e5c9bc8a618190df8f27418b223 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
From 385d206348e4dad96ab4fe0fd08f3818515e3906 Mon Sep 17 00:00:00 2001
Message-ID: <385d206348e4dad96ab4fe0fd08f3818515e3906.1686423653.git.maciek.borzecki@gmail.com>
From: Michael Vogt <mvo@ubuntu.com>
Date: Mon, 5 Jun 2023 16:18:47 +0200
Subject: [PATCH] snap-confine: add `tmpfs` mount rule to apparmor profile
(#12845)
There is a bugfix to make the mount rules more strict/explicit in apparmor 3.0.10, see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.10 - this affects snapd as it's current profile relies on the implicit behavior. With this commit the missing mount rule is added explicitly.
Signed-off-by: Maciej Borzecki <maciek.borzecki@gmail.com>
---
cmd/snap-confine/snap-confine.apparmor.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in
index fb999368bc477f1fa311047696480becfe1e65ad..73d14c8c781b00fd1b3c28f814c9d7686d05c679 100644
--- a/cmd/snap-confine/snap-confine.apparmor.in
+++ b/cmd/snap-confine/snap-confine.apparmor.in
@@ -172,6 +172,7 @@
# boostrapping the mount namespace
/tmp/snap.rootfs_*/ rw,
+ mount fstype=tmpfs none -> /tmp/snap.rootfs_*/,
mount options=(rw rshared) -> /,
mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/,
mount options=(rw unbindable) -> /tmp/snap.rootfs_*/,
--
2.41.0
|