relax apparmor config

Author: dmcilvaney

.github/workflows/check-rendered-specs.yml

@@ -92,9 +92,15 @@ jobs:
       # This dodges the whole class of poisoned-.git/config attacks
       # (diff.external, diff drivers, filter drivers, hooks, etc.).
       #
-      # SYS_ADMIN is needed for mock (mount namespaces for chroot). We avoid
-      # --privileged to limit blast radius. --security-opt no-new-privileges
-      # would be nice but mock's userhelper requires setuid, which that blocks.
+      # Sandbox knobs:
+      #   --cap-add=SYS_ADMIN      mock needs mount namespaces for chroot
+      #   seccomp=unconfined       mock uses syscalls filtered by the default profile
+      #   apparmor=unconfined      ubuntu-latest ships docker-default AppArmor which
+      #                            blocks `mount -t tmpfs` on paths under /var/lib/mock
+      #                            even with SYS_ADMIN granted
+      # We still avoid --privileged (broader blast radius).
+      # --security-opt no-new-privileges would be nice but mock's userhelper
+      # requires setuid, which that flag blocks.
       - name: Render + check for drift
         id: check
         continue-on-error: true # TODO: flip off once check stabilizes (see PR #16674)
@@ -106,6 +112,7 @@ jobs:
           docker run --rm \
             --cap-add=SYS_ADMIN \
             --security-opt seccomp=unconfined \
+            --security-opt apparmor=unconfined \
             -v "$WORKSPACE/pr-head:/workdir" \
             -v "$WORKSPACE/render-output:/output" \
             -v "$WORKSPACE/.github/workflows/scripts:/scripts:ro" \