apparmor: Sync with current git master

This makes stable-1.0, stable-1.1 and master all be in sync with regard to apparmor. This has the nice added benefit of fixing an apparmor regression with /dev/pts handling in some older kernels. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: Sync with current git master
c94ee7a0 · Stéphane Graber · 063a6e23 · c94ee7a0 · c94ee7a0
Unverified Commit c94ee7a0 authored Oct 14, 2015 by Stéphane Graber
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

start-container config/apparmor/abstractions/start-container +1 -0

lxc-default-with-nesting config/apparmor/profiles/lxc-default-with-nesting +1 -1

No files found.
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -13,6 +13,7 @@
  mount -> /usr/lib/lxc/{**,},
  mount fstype=devpts -> /dev/pts/,
  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
+  mount options=bind /dev/pts/** -> /dev/**,
  mount options=(rw, make-slave) -> **,
  mount fstype=debugfs,
  # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/

--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -12,5 +12,5 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
  deny /dev/.lxc/sys/** rw,
  mount fstype=proc -> /var/cache/lxc/**,
  mount fstype=sysfs -> /var/cache/lxc/**,
-  mount options=(rw,bind) /var/cache/lxc/**/dev/shm/ -> /var/cache/lxc/**/run/shm/,
+  mount options=(rw,bind),
 }