apparmor: Allow slave bind mounts

Without this, if the system uses shared subtrees by default (like systemd), you get a large stream of lxc-start: Permission denied - Failed to make /<mountpoint> rslave lxc-start: Continuing... with apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=17284 comm="lxc-start" flags="rw, slave" and eventual failure plus a lot of leftover mounts in the host. https://launchpad.net/bugs/1325468

apparmor: Allow slave bind mounts
2ac9010b · Martin Pitt · Stéphane Graber · 45627ef1 · 2ac9010b
Commit 2ac9010b authored Jul 30, 2014 by Martin Pitt Committed by Stéphane Graber Jul 31, 2014
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

start-container config/apparmor/abstractions/start-container +1 -0

No files found.
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -13,6 +13,7 @@
  mount -> /usr/lib/lxc/{**,},
  mount fstype=devpts -> /dev/pts/,
  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
+  mount options=(rw, slave) -> /,
  mount fstype=debugfs,
  # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
  mount -> /var/lib/lxc/{**,},