apparmor: account for specified rootfs path (closes #2617)

.gitignore

@@ -111,6 +111,7 @@ config/ltmain.sh
 config/missing
 config/libtool.m4
 config/lt*.m4
+config/apparmor/abstractions/start-container
 config/bash/lxc
 config/init/common/lxc-containers
 config/init/common/lxc-net

config/apparmor/Makefile.am

@@ -19,7 +19,7 @@ install-apparmor:
 	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
 	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
 	$(INSTALL_DATA) $(srcdir)/abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
-	$(INSTALL_DATA) $(srcdir)/abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
+	$(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
 	$(INSTALL_DATA) $(srcdir)/profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
 	$(INSTALL_DATA) $(srcdir)/profiles/lxc-default-cgns $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
 	$(INSTALL_DATA) $(srcdir)/profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/

config/apparmor/abstractions/start-container → config/apparmor/abstractions/start-container.in

@@ -11,6 +11,7 @@
   # currently blocked by apparmor bug
   mount -> /usr/lib*/*/lxc/{**,},
   mount -> /usr/lib*/lxc/{**,},
+  mount -> @LXCROOTFSMOUNT@/{,**},
   mount fstype=devpts -> /dev/pts/,
   mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
   mount options=bind /dev/pts/** -> /dev/**,
@@ -38,6 +39,7 @@
   pivot_root /usr/lib*/*/lxc/,
   pivot_root /usr/lib*/lxc/**,
   pivot_root /usr/lib*/*/lxc/**,
+  pivot_root @LXCROOTFSMOUNT@/{,**},
 
   change_profile -> lxc-*,
   change_profile -> lxc-**,

configure.ac

@@ -714,6 +714,7 @@ AC_CONFIG_FILES([
 
 	config/Makefile
 	config/apparmor/Makefile
+	config/apparmor/abstractions/start-container
 	config/selinux/Makefile
 	config/bash/Makefile
 	config/bash/lxc