apparmor: Allow ro remount of boot_id

The rule added in 86384507 did not cover all necessary mount calls for /proc/sys/kernel/random/boot_id (in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing. Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

apparmor: Allow ro remount of boot_id
551301ff · Stoiko Ivanov · Christian Brauner · 5e9c4953 · 551301ff
Unverified Commit 551301ff authored Jul 22, 2020 by Stoiko Ivanov Committed by Christian Brauner Aug 03, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

start-container.in config/apparmor/abstractions/start-container.in +1 -0

No files found.
--- a/config/apparmor/abstractions/start-container.in
+++ b/config/apparmor/abstractions/start-container.in
@@ -22,6 +22,7 @@
  mount -> /var/lib/lxc/{**,},

  mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
+  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,

  # required for some pre-mount hooks
  mount fstype=overlayfs,