Hi, I'm currently trying to bind down some software that spawns processes that will use mount. One instance of this produces the corresponding line
apparmor="DENIED" operation="pivotroot" class="mount" profile="/myapp" name="/tmp/" pid=185566 comm="pv-bwrap" srcname="/tmp/oldroot/" in dmesg. For this specific software, I'm basically using apparmor in a "do what you want, but here are some deny-rules for you" fashion, so I'd like to know what exactly the command would be to just generally allow this class of operation. just "mount,", as I have seen it with "signal,", doesn't seem to do the trick. Is there a way of allowing this in general without hard- specifying every path that exists? Thanks, Jonas
