allow cgroupfs mounts under /sys/fs/cgroup

Systemd needs to be able to do these, and it does not bypass any of our apparmor rules. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

allow cgroupfs mounts under /sys/fs/cgroup
833bf9c2 · Serge Hallyn · fe3c80af · 833bf9c2
Commit 833bf9c2 authored Jan 28, 2016 by Serge Hallyn
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

container-base.in config/apparmor/abstractions/container-base.in +1 -0

No files found.
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -86,4 +86,5 @@
  deny /sys/firmware/efi/efivars/** rwklx,
  deny /sys/kernel/security/** rwklx,
  mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
+  mount fstype=cgroup -> /sys/fs/cgroup/**,