[lxc-devel] [PATCH] apparmor: don't allow mounting cgroupfs by default

Stéphane Graber stgraber at ubuntu.com
Tue Apr 1 15:21:57 UTC 2014


On Mon, Mar 31, 2014 at 05:29:40PM -0500, Serge Hallyn wrote:
> Leave the line to do it (commented out) as some users may not be
> using cgmanager, and may in fact still need those mounts.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  config/apparmor/profiles/lxc-default-with-nesting | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
> index 245f2f8..03325aa 100644
> --- a/config/apparmor/profiles/lxc-default-with-nesting
> +++ b/config/apparmor/profiles/lxc-default-with-nesting
> @@ -5,7 +5,8 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
>    #include <abstractions/lxc/container-base>
>    #include <abstractions/lxc/start-container>
>  
> -  mount fstype=cgroup -> /sys/fs/cgroup/**,
> +#  Uncomment the line below if you are not using cgmanager
> +#  mount fstype=cgroup -> /sys/fs/cgroup/**,
>  
>    mount fstype=proc -> /var/cache/lxc/**,
>    mount fstype=sysfs -> /var/cache/lxc/**,
> -- 
> 1.9.1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140401/1df5cb56/attachment.pgp>


More information about the lxc-devel mailing list