1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | commit 00d7d9819801ed2ad16be05df7acdaf9a205d543
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Wed Sep 28 16:03:46 2016 -0500
also allow mmap in ^mount-namespace-capture-helper
commit d75da73d9ee6c900de77fd3d7c83c46d30b82934
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Wed Sep 28 15:57:24 2016 -0500
add mmap to AppArmor policy for snap-confine for 4.8 kernels
4.8+ kernels have a semantic change where the location of the mmap check in
the binfmt_elf loader changed along with the cred that is used for the
check. As a result, when using snap-confine in an LXD container that
supports AppArmor namespace stacking we must allow 'm' on
@LIBEXECDIR@/snap-confine.
Index: snap-confine-1.0.42/src/snap-confine.apparmor.in
===================================================================
--- snap-confine-1.0.42.orig/src/snap-confine.apparmor.in
+++ snap-confine-1.0.42/src/snap-confine.apparmor.in
@@ -21,7 +21,7 @@
/usr/lib/@{multiarch}/libseccomp.so* mr,
/lib/@{multiarch}/libseccomp.so* mr,
- @LIBEXECDIR@/snap-confine r,
+ @LIBEXECDIR@/snap-confine mr,
/dev/null rw,
/dev/full rw,
@@ -236,7 +236,7 @@
/usr/lib/@{multiarch}/libseccomp.so* mr,
/lib/@{multiarch}/libseccomp.so* mr,
- @LIBEXECDIR@/snap-confine r,
+ @LIBEXECDIR@/snap-confine mr,
/dev/null rw,
/dev/full rw,
|