AppArmor: Allow access to mount related files

apparmor-session-lockdown-no-deny test returns the following events: $ sudo journalctl -b -t audit -o cat | aa_log_extract_tokens.sh DENIED ==== profile:/usr/bin/prestwood apparmor:DENIED denied_mask:r operation:open name:/proc/905/mountinfo requested_mask:r ==== profile:/usr/bin/prestwood apparmor:DENIED denied_mask:r operation:open name:/etc/fstab requested_mask:r ==== profile:/usr/bin/prestwood apparmor:DENIED denied_mask:r operation:open name:/proc/905/mountinfo requested_mask:r ==== profile:/usr/bin/prestwood apparmor:DENIED denied_mask:r operation:open name:/proc/905/mounts requested_mask:r Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

AppArmor: Allow access to mount related files
apparmor-session-lockdown-no-deny test returns the following events: $ sudo journalctl -b -t audit -o cat | aa_log_extract_tokens.sh DENIED ==== profile:/usr/bin/prestwood apparmor:DENIED denied_mask:r operation:open name:/proc/905/mountinfo requested_mask:r ==== profile:/usr/bin/prestwood apparmor:DENIED denied_mask:r operation:open name:/etc/fstab requested_mask:r ==== profile:/usr/bin/prestwood apparmor:DENIED denied_mask:r operation:open name:/proc/905/mountinfo requested_mask:r ==== profile:/usr/bin/prestwood apparmor:DENIED denied_mask:r operation:open name:/proc/905/mounts requested_mask:r Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
0e1d9c67 · Frederic Danis · 26947914 · 0e1d9c67
Commit 0e1d9c67 authored 5 years ago by Frederic Danis
--- a/debian/usr.bin.prestwood
+++ b/debian/usr.bin.prestwood
@@ -28,4 +28,7 @@
  dbus (send, receive) bus=session peer=(label=/usr/lib/gvfs/gvfs*),

  /run/systemd/journal/{socket,stdout} rw,
+  /proc/@{pid}/mountinfo r,
+  /proc/@{pid}/mounts r,
+  /etc/fstab r,
 }