From 182db98c2aed2dd01d434bdc66c352ac1bf6f891 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maxime=20B=C3=A9lair?= <maxime.belair@canonical.com>
Date: Thu, 10 Apr 2025 15:28:15 +0200
Subject: [PATCH] unprivileged_userns profile: Allow full file system access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes https://gitlab.com/apparmor/apparmor/-/issues/505

The profile previously permitted access to `/**`, which excludes the root
directory (`/`). This commit also gives `/` access, aligning with the
intended behavior.

Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
---
 profiles/apparmor.d/unprivileged_userns | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/unprivileged_userns b/profiles/apparmor.d/unprivileged_userns
index a131c9ce8..8f6e7861b 100644
--- a/profiles/apparmor.d/unprivileged_userns
+++ b/profiles/apparmor.d/unprivileged_userns
@@ -13,7 +13,7 @@ profile unprivileged_userns {
      allow network,
      allow signal,
      allow dbus,
-     allow file rwlkm /**,
+     allow file rwlkm /{,**},
      allow unix,
      allow mqueue,
      allow ptrace,