apparmor: don't allow mounting cgroupfs by default

Leave the line to do it (commented out) as some users may not be using cgmanager, and may in fact still need those mounts. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: don't allow mounting cgroupfs by default
1bca2013 · Serge Hallyn · Stéphane Graber · a0718c49 · 1bca2013
Commit 1bca2013 authored Mar 31, 2014 by Serge Hallyn Committed by Stéphane Graber Apr 01, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

lxc-default-with-nesting config/apparmor/profiles/lxc-default-with-nesting +2 -1

No files found.
--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -5,7 +5,8 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>

-  mount fstype=cgroup -> /sys/fs/cgroup/**,
+#  Uncomment the line below if you are not using cgmanager
+#  mount fstype=cgroup -> /sys/fs/cgroup/**,

  mount fstype=proc -> /var/cache/lxc/**,
  mount fstype=sysfs -> /var/cache/lxc/**,