Comment # 12 on bug 1221840 from Stefano Brivio 
Comment on attachment 873969 [details]
Proposed upstream patch, tested on Debian only

>diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
>index 6bb25e0..61ec32c 100644
>--- a/contrib/apparmor/abstractions/passt
>+++ b/contrib/apparmor/abstractions/passt
>@@ -27,6 +27,7 @@
> 
>   /					r,	# isolate_prefork(), isolation.c
>   mount options=(rw, runbindable) /,
>+  mount		""	-> "/",
>   mount		""	-> "/tmp/",
>   pivot_root	"/tmp/" -> "/tmp/",
>   umount	"/",
>diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta
>index a890391..e10d2a7 100644
>--- a/contrib/apparmor/abstractions/pasta
>+++ b/contrib/apparmor/abstractions/pasta
>@@ -27,7 +27,7 @@
>   @{PROC}/@{pid}/net/udp		r,
>   @{PROC}/@{pid}/net/udp6		r,
> 
>-  @{run}/user/@{uid}/netns/*		r,	# pasta_open_ns(), pasta.c
>+  @{run}/user/@{uid}/**			r,	# pasta_open_ns(), pasta.c
> 
>   @{PROC}/[0-9]*/ns/net			r,	# pasta_wait_for_ns(),
>   @{PROC}/[0-9]*/ns/user		r,	# conf_pasta_ns()

You are receiving this mail because: