From mboxrd@z Thu Jan  1 00:00:00 1970
Received: by passt.top (Postfix, from userid 1000)
	id 58D565A0271; Wed,  3 Apr 2024 21:04:25 +0200 (CEST)
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH 1/3] apparmor: Add mount rule with explicit, empty source in passt abstraction
Date: Wed,  3 Apr 2024 21:04:19 +0200
Message-ID: <20240403190425.2848764-2-sbrivio@redhat.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240403190425.2848764-1-sbrivio@redhat.com>
References: <20240403190425.2848764-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: CLECGKEQKWYQYSD6L3GFLSOWXOA7L7UL
X-Message-ID-Hash: CLECGKEQKWYQYSD6L3GFLSOWXOA7L7UL
X-MailFrom: sbrivio@passt.top
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: =?UTF-8?q?J=C3=B6rg=20Sonnenberger?= <joerg@bec.de>, Danish Prakash <danish.prakash@suse.com>, Christian Boltz <suse-beta@cboltz.de>, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240403190425.2848764-2-sbrivio@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/CLECGKEQKWYQYSD6L3GFLSOWXOA7L7UL/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

For the policy to work as expected across either AppArmor commit
9d3f8c6cc05d ("parser: fix parsing of source as mount point for
propagation type flags") and commit 300889c3a4b7 ("parser: fix option
flag processing for single conditional rules"), we need one mount
rule with matching mount options as "source" (that is, without
source), and one without mount options and an explicit, empty source.

Link: https://github.com/containers/buildah/issues/5440
Link: https://bugzilla.suse.com/show_bug.cgi?id=1221840
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/apparmor/abstractions/passt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
index 6bb25e0..61ec32c 100644
--- a/contrib/apparmor/abstractions/passt
+++ b/contrib/apparmor/abstractions/passt
@@ -27,6 +27,7 @@
 
   /					r,	# isolate_prefork(), isolation.c
   mount options=(rw, runbindable) /,
+  mount		""	-> "/",
   mount		""	-> "/tmp/",
   pivot_root	"/tmp/" -> "/tmp/",
   umount	"/",
-- 
2.43.0