[lxc-devel] [PATCH] apparmor: Use more generic allow rule for pivot
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Apr 8 17:21:45 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> Recent fixes in the apparmor kernel code is now making at least the CI
> environment and quite possibly some others fail due to an invalid path
> in the pivot_root stanza.
>
> So update both lines to allow a more generic pivot_root call for
> anything in LXC's work directory.
>
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> config/apparmor/abstractions/start-container | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
> index d10996b..5d8822a 100644
> --- a/config/apparmor/abstractions/start-container
> +++ b/config/apparmor/abstractions/start-container
> @@ -28,8 +28,8 @@
> umount,
> #umount /mnt/{**,},
>
> - pivot_root /usr/lib/*/lxc/,
> - pivot_root /usr/lib/lxc/root/,
> + pivot_root /usr/lib/lxc/**,
> + pivot_root /usr/lib/*/lxc/**,
>
> change_profile -> lxc-*,
> change_profile -> unconfined,
> --
> 1.9.1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list