apparmor: Use more generic allow rule for pivot

Recent fixes in the apparmor kernel code is now making at least the CI environment and quite possibly some others fail due to an invalid path in the pivot_root stanza. So update both lines to allow a more generic pivot_root call for anything in LXC's work directory. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

apparmor: Use more generic allow rule for pivot
4fb04047 · Stéphane Graber · 59630560 · 4fb04047
Commit 4fb04047 authored Apr 08, 2014 by Stéphane Graber
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

start-container config/apparmor/abstractions/start-container +6 -1

No files found.
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -28,8 +28,13 @@
  umount,
  #umount /mnt/{**,},

+  # This may look a bit redundant, however it appears we need all of
+  # them if we want things to work properly on all combinations of kernel
+  # and userspace parser...
+  pivot_root /usr/lib/lxc/,
  pivot_root /usr/lib/*/lxc/,
-  pivot_root /usr/lib/lxc/root/,
+  pivot_root /usr/lib/lxc/**,
+  pivot_root /usr/lib/*/lxc/**,

  change_profile -> lxc-*,
  change_profile -> unconfined,