[apparmor] generally allow mount options
Jonas Große Sundrup
jgs-apparmor at letopolis.de
Sun Jun 4 00:25:15 UTC 2023
Hi,
I'm currently trying to bind down some software that spawns processes
that will use mount. One instance of this produces the corresponding
line
apparmor="DENIED" operation="pivotroot" class="mount" profile="/myapp"
name="/tmp/" pid=185566 comm="pv-bwrap" srcname="/tmp/oldroot/"
in dmesg.
For this specific software, I'm basically using apparmor in a "do what
you want, but here are some deny-rules for you" fashion, so I'd like to
know what exactly the command would be to just generally allow this
class of operation.
just "mount,", as I have seen it with "signal,", doesn't seem to do the
trick. Is there a way of allowing this in general without hard-
specifying every path that exists?
Thanks,
Jonas
More information about the AppArmor
mailing list