From 3f15ce23bafb70faaf958a0c758e60d6ff2489e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20B=C3=A9lair?= Date: Wed, 27 Nov 2024 17:25:05 +0100 Subject: [PATCH] Upadate man apparmor.d to highlight pivot_root limitation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As pointed out by https://bugs.launchpad.net/apparmor/+bug/2087875 , profile transitions with pivot_root are currently not supported on any kernel. This commit makes this limitation more obvious to users. Signed-off-by: Maxime BĂ©lair (cherry picked from commit cf51f7aadd11bbb6a009ee5d3d9b4a96fa2e22e5) Signed-off-by: John Johansen --- parser/apparmor.d.pod | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index 637a5f260..1100e4a4a 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -1339,8 +1339,9 @@ pivot_root(2) is optionally specified in the 'pivot_root' rule using the 'oldroot=' prefix. AppArmor 'pivot_root' rules can specify a profile transition to occur during -the pivot_root(2) system call. Note that AppArmor will only transition the -process calling pivot_root(2) to the new profile. +the pivot_root(2) system call. Note that currently, this feature is not +supported by any kernel. When this feature will be supported, AppArmor will +only transition the process calling pivot_root(2) to the new profile. The paths specified in 'pivot_root' rules must end with '/' since they are directories.