[lxc-devel] [PATCH] apparmor: don't allow mounting cgroupfs by default
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Mar 31 22:29:40 UTC 2014
Leave the line to do it (commented out) as some users may not be
using cgmanager, and may in fact still need those mounts.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
config/apparmor/profiles/lxc-default-with-nesting | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
index 245f2f8..03325aa 100644
--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -5,7 +5,8 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
#include <abstractions/lxc/container-base>
#include <abstractions/lxc/start-container>
- mount fstype=cgroup -> /sys/fs/cgroup/**,
+# Uncomment the line below if you are not using cgmanager
+# mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=proc -> /var/cache/lxc/**,
mount fstype=sysfs -> /var/cache/lxc/**,
--
1.9.1
More information about the lxc-devel
mailing list