Properly update the generated apparmor profiles

Some changes happened but the final profiles weren't generated... Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Properly update the generated apparmor profiles
056f8bba · Stéphane Graber · eab570bc · 056f8bba
Unverified Commit 056f8bba authored Mar 07, 2016 by Stéphane Graber
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

container-base config/apparmor/abstractions/container-base +6 -0

No files found.
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -62,6 +62,10 @@
  # allow bind mount of /lib/init/fstab for lxcguest
  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+  # allow bind mounts of /run/{,lock} to /var/run/{,lock}
+  mount options=(rw, bind) /run/ -> /var/run/,
+  mount options=(rw, bind) /run/lock/ -> /var/lock/,
  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  deny @{PROC}/sys/fs/** wklx,
@@ -83,9 +87,11 @@
  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
  mount fstype=proc -> /proc/,
  mount fstype=sysfs -> /sys/,
+  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
  deny /sys/firmware/efi/efivars/** rwklx,
  deny /sys/kernel/security/** rwklx,
  mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
+  mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
  # generated by: lxc-generate-aa-rules.py container-rules.base
  deny /proc/sys/[^kn]*{,/**} wklx,