apparmor: allow binding /run/{,lock/} -> /var/run/{,lock/}

Some systems need to be able to bind-mount /run to /var/run and /run/lock to /var/run/lock. (Tested with opensuse 13.1 containers migrated from openvz.) Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

apparmor: allow binding /run/{,lock/} -> /var/run/{,lock/}
4a491a31 · Wolfgang Bumiller · f1ed87e1 · 4a491a31
Commit 4a491a31 authored Feb 02, 2016 by Wolfgang Bumiller
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

container-base.in config/apparmor/abstractions/container-base.in +4 -0

No files found.
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -62,6 +62,10 @@
  # allow bind mount of /lib/init/fstab for lxcguest
  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,

+  # allow bind mounts of /run/{,lock} to /var/run/{,lock}
+  mount options=(rw, bind) /run/ -> /var/run/,
+  mount options=(rw, bind) /run/lock/ -> /var/lock/,
+
  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  deny @{PROC}/sys/fs/** wklx,