Merge pull request #5579 from jdstrand/add-ptrace-read-for-4.18-2.34

(2.34) cmd/snap-confine: allow ptrace read for 4.18 kernels
snapcore · Jul 31, 2018 · 7ef3443 · 7ef3443
2 parents 8b5e8f9 + 7921783
commit 7ef3443
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in
@@ -365,6 +365,8 @@
     # support for the mount namespace sharing
     capability sys_ptrace,
     # allow snap-confine to read /proc/1/ns/mnt
+    ptrace read peer=unconfined,
+    # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21
     ptrace trace peer=unconfined,
 
     mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/,