On 6/3/23 17:25, Jonas Große Sundrup wrote:
Hi,
I'm currently trying to bind down some software that spawns processes
that will use mount. One instance of this produces the corresponding
line
apparmor="DENIED" operation="pivotroot" class="mount" profile="/myapp"
name="/tmp/" pid=185566 comm="pv-bwrap" srcname="/tmp/oldroot/"
in dmesg.
For this specific software, I'm basically using apparmor in a "do what
you want, but here are some deny-rules for you" fashion, so I'd like to
know what exactly the command would be to just generally allow this
class of operation.
just "mount,", as I have seen it with "signal,", doesn't seem to do the
trick. Is there a way of allowing this in general without hard-
specifying every path that exists?
mount, # allow all mount operations
pivot_root, # allow all pivot roots
umount, # allow unmounting
you can then carve out specific rules if you need to with deny rules.