# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Minimal set of rules for bwrap

# A profile using this abstraction still needs to set:
# - the attach_disconnected flag
# - bwrap execution: '@{bin}/bwrap rix,'

  userns,

  capability net_admin,
  capability setpcap,
  capability sys_admin,
  capability sys_ptrace,

  network netlink raw,

  mount               options=(rw rbind)                 /tmp/newroot/ -> /tmp/newroot/,
  mount               options=(rw rbind)                /oldroot/{,**} -> /newroot/{,**},
  mount               options=(rw silent rprivate)                     -> /oldroot/,
  mount               options=(rw silent rslave)                       -> /,
  mount fstype=devpts options=(rw nosuid noexec)                devpts -> /newroot/dev/pts/,
  mount fstype=proc   options=(rw nosuid nodev noexec)            proc -> /newroot/@{PROC}/,
  mount fstype=tmpfs  options=(rw nosuid nodev)                  tmpfs -> /newroot/{,**},
  mount fstype=tmpfs  options=(rw nosuid nodev)                  tmpfs -> /tmp/,

  remount /newroot/{,**},

  umount /,
  umount /oldroot/,

  pivot_root oldroot=/newroot/ /newroot/,
  pivot_root oldroot=/tmp/oldroot/ /tmp/,

  owner / r,
  owner /newroot/{,**} w,

  owner /tmp/newroot/ w,
  owner /tmp/oldroot/ w,


        @{PROC}/sys/kernel/overflowgid r,
        @{PROC}/sys/kernel/overflowuid r,
        @{PROC}/sys/user/max_user_namespaces r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/gid_map rw,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/setgroups rw,
  owner @{PROC}/@{pid}/uid_map rw,

  include if exists <abstractions/common/bwrap.d>
