From 0e1d9c67c45a923c0d9bdc9c7e254b286c74c386 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= <frederic.danis@collabora.com>
Date: Wed, 18 Dec 2019 11:43:34 +0100
Subject: [PATCH] AppArmor: Allow access to mount related files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

apparmor-session-lockdown-no-deny test returns the following events:
$ sudo journalctl -b -t audit -o cat | aa_log_extract_tokens.sh DENIED
====
profile:/usr/bin/prestwood
apparmor:DENIED
denied_mask:r
operation:open
name:/proc/905/mountinfo
requested_mask:r
====
profile:/usr/bin/prestwood
apparmor:DENIED
denied_mask:r
operation:open
name:/etc/fstab
requested_mask:r
====
profile:/usr/bin/prestwood
apparmor:DENIED
denied_mask:r
operation:open
name:/proc/905/mountinfo
requested_mask:r
====
profile:/usr/bin/prestwood
apparmor:DENIED
denied_mask:r
operation:open
name:/proc/905/mounts
requested_mask:r

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
---
 debian/usr.bin.prestwood | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/usr.bin.prestwood b/debian/usr.bin.prestwood
index da8e634..8a6f7ad 100644
--- a/debian/usr.bin.prestwood
+++ b/debian/usr.bin.prestwood
@@ -28,4 +28,7 @@
   dbus (send, receive) bus=session peer=(label=/usr/lib/gvfs/gvfs*),
 
   /run/systemd/journal/{socket,stdout} rw,
+  /proc/@{pid}/mountinfo r,
+  /proc/@{pid}/mounts r,
+  /etc/fstab r,
 }
-- 
GitLab