apparmor: update current profiles

remove cgmanager rules and add fstype=cgroup2 variants for the existing fstype=cgroup rules Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

apparmor: update current profiles
296f7311 · Wolfgang Bumiller · Christian Brauner · 99b7f9db · 296f7311 · 296f7311
Unverified Commit 296f7311 authored Jul 25, 2018 by Wolfgang Bumiller Committed by Christian Brauner Jul 31, 2018
Showing with 2 additions and 1 deletion

container-base.in config/apparmor/abstractions/container-base.in +0 -1

lxc-default-cgns config/apparmor/profiles/lxc-default-cgns +1 -0

lxc-default-with-nesting config/apparmor/profiles/lxc-default-with-nesting +1 -0

No files found.
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -85,7 +85,6 @@
  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
  deny /sys/firmware/efi/efivars/** rwklx,
  deny /sys/kernel/security/** rwklx,
-  mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
  mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
  # deny reads from debugfs

--- a/config/apparmor/profiles/lxc-default-cgns
+++ b/config/apparmor/profiles/lxc-default-cgns
@@ -9,4 +9,5 @@ profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
+  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
 }
--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -11,4 +11,5 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
  mount fstype=sysfs -> /var/cache/lxc/**,
  mount options=(rw,bind),
  mount fstype=cgroup -> /sys/fs/cgroup/**,
+  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
 }