[apparmor] generally allow mount options
John Johansen
john.johansen at canonical.com
Sun Jun 4 00:32:49 UTC 2023
On 6/3/23 17:25, Jonas Große Sundrup wrote:
> Hi,
>
> I'm currently trying to bind down some software that spawns processes
> that will use mount. One instance of this produces the corresponding
> line
>
> apparmor="DENIED" operation="pivotroot" class="mount" profile="/myapp"
> name="/tmp/" pid=185566 comm="pv-bwrap" srcname="/tmp/oldroot/"
>
> in dmesg.
>
> For this specific software, I'm basically using apparmor in a "do what
> you want, but here are some deny-rules for you" fashion, so I'd like to
> know what exactly the command would be to just generally allow this
> class of operation.
>
> just "mount,", as I have seen it with "signal,", doesn't seem to do the
> trick. Is there a way of allowing this in general without hard-
> specifying every path that exists?
>
mount, # allow all mount operations
pivot_root, # allow all pivot roots
umount, # allow unmounting
you can then carve out specific rules if you need to with deny rules.
More information about the AppArmor
mailing list