[lxc-devel] [RFC lxc 1/2] AppArmor: add make-rslave to usr.bin.lxc-start
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Nov 20 15:58:14 UTC 2015
Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> The profile already contains
> mount options=(rw, make-slave) -> **,
>
> Which allows going through all mountpoints with make-slave,
> so it seems to make sense to also allow the directly
> recursive variant with "make-rslave".
>
> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> config/apparmor/abstractions/start-container | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
> index b06a84d..eee0c2f 100644
> --- a/config/apparmor/abstractions/start-container
> +++ b/config/apparmor/abstractions/start-container
> @@ -15,6 +15,7 @@
> mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
> mount options=bind /dev/pts/** -> /dev/**,
> mount options=(rw, make-slave) -> **,
> + mount options=(rw, make-rslave) -> **,
> mount fstype=debugfs,
> # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
> mount -> /var/lib/lxc/{**,},
> --
> 2.1.4
>
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list