[lxc-devel] [lxc/master] apparmor: account for specified rootfs path (closes #2617)

Tue Sep 18 01:38:48 UTC 2018

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 355 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180918/c9911d4f/attachment.bin>
-------------- next part --------------
From 9b23db33006413ea342061a85c650bbe475f3596 Mon Sep 17 00:00:00 2001
From: Cameron Nemo <camerontnorman at gmail.com>
Date: Mon, 17 Sep 2018 18:37:57 -0700
Subject: [PATCH] apparmor: account for specified rootfs path (closes #2617)

Signed-off-by: Cameron Nemo <camerontnorman at gmail.com>
---
 .gitignore                                                 | 1 +
 .../abstractions/{start-container => start-container.in}   | 2 ++
 configure.ac                                               | 7 ++++---
 3 files changed, 7 insertions(+), 3 deletions(-)
 rename config/apparmor/abstractions/{start-container => start-container.in} (95%)

diff --git a/.gitignore b/.gitignore
index 0d266c200..45377714c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -111,6 +111,7 @@ config/ltmain.sh
 config/missing
 config/libtool.m4
 config/lt*.m4
+config/apparmor/abstractions/start-container
 config/bash/lxc
 config/init/common/lxc-containers
 config/init/common/lxc-net
diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container.in
similarity index 95%
rename from config/apparmor/abstractions/start-container
rename to config/apparmor/abstractions/start-container.in
index 3df9883e3..f2b48235d 100644
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container.in
@@ -11,6 +11,7 @@
   # currently blocked by apparmor bug
   mount -> /usr/lib*/*/lxc/{**,},
   mount -> /usr/lib*/lxc/{**,},
+  mount -> @LXCROOTFSMOUNT@/{,**},
   mount fstype=devpts -> /dev/pts/,
   mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
   mount options=bind /dev/pts/** -> /dev/**,
@@ -38,6 +39,7 @@
   pivot_root /usr/lib*/*/lxc/,
   pivot_root /usr/lib*/lxc/**,
   pivot_root /usr/lib*/*/lxc/**,
+  pivot_root @LXCROOTFSMOUNT@/{,**},
 
   change_profile -> lxc-*,
   change_profile -> lxc-**,
diff --git a/configure.ac b/configure.ac
index 92d6601d7..ba44770dc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -202,9 +202,9 @@ AC_ARG_ENABLE([doc],
 
 if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then
 	db2xman=""
-	dbparsers="docbook2X2man docbook2x-man db2x_docbook2man docbook2man docbook-to-man"
+	dbparsers="docbook2X2man docbook2man db2x_docbook2man docbook2man docbook-to-man"
 
-	AC_MSG_CHECKING(for docbook2x-man)
+	AC_MSG_CHECKING(for docbook2man)
 	for name in ${dbparsers}; do
 		if "$name" --help >/dev/null 2>&1; then
 			db2xman="$name"
@@ -218,7 +218,7 @@ if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then
 	else
 		AC_MSG_RESULT([no])
 		if test "x$enable_doc" = "xyes"; then
-			AC_MSG_ERROR([docbook2x-man is required, but could not be found])
+			AC_MSG_ERROR([docbook2man is required, but could not be found])
 		fi
 		enable_doc="no"
 	fi
@@ -714,6 +714,7 @@ AC_CONFIG_FILES([
 
 	config/Makefile
 	config/apparmor/Makefile
+	config/apparmor/abstractions/start-container
 	config/selinux/Makefile
 	config/bash/Makefile
 	config/bash/lxc
