Merge profiles: fix unshare for deleted files

Unfortunately similar to bwrap unshare will need the mediate_deleted flag in some cases. see commit 6488e1fb7 "profiles: add mediate_deleted to bwrap" Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1521 Approved-by: Ryan Lee <rlee287@yahoo.com> Merged-by: Ryan Lee <rlee287@yahoo.com>
2025-08-31 06:16:03 +00:00 · 2025-02-06 19:44:21 +00:00
parent 5bc1cd763c c157eb0cb6
commit b5b1944f58
1 changed files with 2 additions and 2 deletions
--- a/profiles/apparmor/profiles/extras/unshare-userns-restrict
+++ b/profiles/apparmor/profiles/extras/unshare-userns-restrict
@@ -17,7 +17,7 @@ abi <abi/4.0>,

 include <tunables/global>

-profile unshare /usr/bin/unshare flags=(attach_disconnected) {
+profile unshare /usr/bin/unshare flags=(attach_disconnected mediate_deleted) {
  # not allow all, to allow for cix transition
  # and to limit executable mapping to just unshare
  allow capability,
@@ -43,7 +43,7 @@ profile unshare /usr/bin/unshare flags=(attach_disconnected) {
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/unshare-userns-restrict>

-  profile unpriv flags=(attach_disconnected) {
+  profile unpriv flags=(attach_disconnected mediate_deleted) {
    # not allow all, to allow for pix stack
    allow file rwlkm /{**,},
    allow network,