lxd/apparmor: Include CAP_SYS_ADMIN in rsync AppArmor profile

The CAP_SYS_ADMIN cap is required for rsync to write to files using security.* xattrs. In order to preserve these xattrs and ensure proper updates when these xattrs are present, we must include this capability in the rsync AppArmor profile. Signed-off-by: Mark Bolton <[email protected]>
canonical · Oct 8, 2024 · 38a2cac · 38a2cac
1 parent e09d5a7
commit 38a2cac
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/lxd/apparmor/rsync.go b/lxd/apparmor/rsync.go
@@ -29,6 +29,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   capability fsetid,
   capability mknod,
   capability setfcap,
+  capability sys_admin,
 
   unix (connect, send, receive) type=stream,