Created attachment 873969 [details]
Proposed upstream patch, tested on Debian only
With these changes:
- remounting / from an empty mountpoint should now be allowed by AppArmor
across AppArmor commit d4b0fef10a4a ("parser: fix rule flag generation
change_mount type rules")
- access to the filesystem-bound network namespace typically used by Podman's
custom networks or Buildah (not 'podman run') is now enabled for pasta, as well