Merge pull request #1695 from 0x0916/2017-07-12/update-doc-and-test

config/selinux/lxc.te

@@ -7,7 +7,7 @@
 # semodule -i lxc.pp
 #
 # In your container's lxc config:
-#   lxc.se_context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228
+#   lxc.selinux.context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228
 #
 # Ensure your container's rootfs files are labeled:
 #   chcon -R system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs

config/templates/debian.common.conf.in

@@ -7,12 +7,12 @@ lxc.tty.dir =
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
-#lxc.aa_profile = lxc-container-default-with-mounting
+#lxc.apparmor.profile = lxc-container-default-with-mounting
 
 # Extra cgroup device access
 ## rtc

config/templates/nesting.conf.in

 # Use a profile which allows nesting
-lxc.aa_profile = lxc-container-default-with-nesting
+lxc.apparmor.profile = lxc-container-default-with-nesting
 
 # Add uncovered mounts of proc and sys, else unprivileged users
 # cannot remount those

config/templates/ubuntu.common.conf.in

@@ -10,7 +10,7 @@ lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
 # When using LXC with apparmor, the container will be confined by default.
 # If you wish for it to instead run unconfined, copy the following line
 # (uncommented) to the container's configuration file.
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 # Uncomment the following line to autodetect squid-deb-proxy configuration on the
 # host and forward it to the guest at start time.
@@ -19,7 +19,7 @@ lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
-#lxc.aa_profile = lxc-container-default-with-mounting
+#lxc.apparmor.profile = lxc-container-default-with-mounting
 
 # Extra cgroup device access
 ## rtc

doc/ja/lxc.container.conf.sgml.in

@@ -1438,7 +1438,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
       <variablelist>
         <varlistentry>
           <term>
-            <option>lxc.rootfs</option>
+            <option>lxc.rootfs.path</option>
           </term>
           <listitem>
             <para>
@@ -1486,7 +1486,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
           <listitem>
             <para>
               <!--
-              where to recursively bind <option>lxc.rootfs</option>
+              where to recursively bind <option>lxc.rootfs.path</option>
               before pivoting.  This is to ensure success of the
               <citerefentry>
                 <refentrytitle><command>pivot_root</command></refentrytitle>
@@ -1495,7 +1495,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               syscall.  Any directory suffices, the default should
               generally work.
               -->
-              root ファイルシステムの変更の前に、<option>lxc.rootfs</option> を再帰的にどこにバインドするのかを指定します。これは
+              root ファイルシステムの変更の前に、<option>lxc.rootfs.path</option> を再帰的にどこにバインドするのかを指定します。これは
               <citerefentry>
                 <refentrytitle><command>pivot_root</command></refentrytitle>
                 <manvolnum>8</manvolnum>
@@ -1690,7 +1690,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
       <variablelist>
         <varlistentry>
           <term>
-            <option>lxc.aa_profile</option>
+            <option>lxc.apparmor.profile</option>
           </term>
           <listitem>
             <para>
@@ -1702,7 +1702,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               コンテナが従うべき apparmor プロファイルを指定します。
               コンテナが apparmor による制限を受けないように設定するには、以下のように設定します。
             </para>
-              <programlisting>lxc.aa_profile = unconfined</programlisting>
+              <programlisting>lxc.apparmor.profile = unconfined</programlisting>
             <para>
               <!--
               If the apparmor profile should remain unchanged (i.e. if you
@@ -1710,12 +1710,12 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               -->
               もし apparmor プロファイルが変更されないままでなくてはならない場合 (ネストしたコンテナである場合や、すでに confined されている場合) は以下のように設定します。
             </para>
-              <programlisting>lxc.aa_profile = unchanged</programlisting>
+              <programlisting>lxc.apparmor.profile = unchanged</programlisting>
           </listitem>
         </varlistentry>
         <varlistentry>
           <term>
-            <option>lxc.aa_allow_incomplete</option>
+            <option>lxc.apparmor.allow_incomplete</option>
           </term>
           <listitem>
             <para>
@@ -1764,7 +1764,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
       <variablelist>
         <varlistentry>
           <term>
-            <option>lxc.se_context</option>
+            <option>lxc.selinux.context</option>
           </term>
           <listitem>
             <para>
@@ -1774,7 +1774,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               -->
               コンテナが従うべき SELinux コンテキストを指定するか、<command>unconfined_t</command> を指定します。例えば以下のように設定します。
             </para>
-            <programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting>
+            <programlisting>lxc.selinux.context = system_u:system_r:lxc_t:s0:c22</programlisting>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -1958,7 +1958,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
           <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
           <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
           <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
-          <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container.  Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
+          <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs.path entry for the container.  Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
         </itemizedlist>
         -->
         コンテナのフックが実行されるとき、情報がコマンドライン引数と環境変数の両方を通して渡されます。引数は:
@@ -1974,7 +1974,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
           <listitem><para> LXC_ROOTFS_MOUNT: マウントされた root ファイルシステムへのパス</para></listitem>
           <listitem><para> LXC_CONFIG_FILE: コンテナの設定ファイルのパス </para></listitem>
           <listitem><para> LXC_SRC_NAME: clone フックの場合、元のコンテナの名前</para></listitem>
-          <listitem><para> LXC_ROOTFS_PATH: コンテナの lxc.rootfs エントリ。これはマウントされた rootfs が存在する場所にはならないでしょう。それには LXC_ROOTFS_MOUNT を使用してください。</para></listitem>
+          <listitem><para> LXC_ROOTFS_PATH: コンテナの lxc.rootfs.path エントリ。これはマウントされた rootfs が存在する場所にはならないでしょう。それには LXC_ROOTFS_MOUNT を使用してください。</para></listitem>
         </itemizedlist>
       </para>
       <para>
@@ -2280,10 +2280,10 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               <!--
               The host relative path to the container root which has been
               mounted to the rootfs.mount location.
-              [<option>lxc.rootfs</option>]
+              [<option>lxc.rootfs.path</option>]
               -->
               rootfs.mount へマウントされるコンテナのルートへのホスト上のパスです。
-              [<option>lxc.rootfs</option>]
+              [<option>lxc.rootfs.path</option>]
             </para>
           </listitem>
         </varlistentry>
@@ -2705,7 +2705,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
         lxc.cgroup.devices.allow = b 8:0 rw
         lxc.mount.fstab = /etc/fstab.complex
         lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
-        lxc.rootfs = /mnt/rootfs.complex
+        lxc.rootfs.path = dir:/mnt/rootfs.complex
         lxc.cap.drop = sys_module mknod setuid net_raw
         lxc.cap.drop = mac_override
       </programlisting>

doc/ko/lxc.container.conf.sgml.in

@@ -658,7 +658,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
 
 	<varlistentry>
 	  <term>
-	    <option>lxc.net.[i].ipv4</option>
+	    <option>lxc.net.[i].ipv4.address</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -709,7 +709,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
 
 	<varlistentry>
 	  <term>
-	    <option>lxc.net.[i].ipv6</option>
+	    <option>lxc.net.[i].ipv6.address</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -837,7 +837,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
       <variablelist>
 	<varlistentry>
 	  <term>
-	    <option>lxc.pts</option>
+	    <option>lxc.pty.max</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -881,7 +881,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
 	</varlistentry>
 	<varlistentry>
 	  <term>
-	    <option>lxc.console</option>
+	    <option>lxc.console.path</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -920,7 +920,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
       <variablelist>
 	<varlistentry>
 	  <term>
-	    <option>lxc.tty</option>
+	    <option>lxc.tty.max</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -957,7 +957,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
       <variablelist>
 	<varlistentry>
 	  <term>
-	    <option>lxc.devttydir</option>
+	    <option>lxc.tty.dir</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -1069,7 +1069,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
       <variablelist>
 	<varlistentry>
 	  <term>
-	    <option>lxc.mount</option>
+	    <option>lxc.mount.fstab</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -1426,7 +1426,7 @@ proc proc proc nodev,noexec,nosuid 0 0
       <variablelist>
 	<varlistentry>
 	  <term>
-	    <option>lxc.rootfs</option>
+	    <option>lxc.rootfs.path</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -1471,7 +1471,7 @@ proc proc proc nodev,noexec,nosuid 0 0
 	  <listitem>
 	    <para>
               <!--
-	      where to recursively bind <option>lxc.rootfs</option>
+	      where to recursively bind <option>lxc.rootfs.path</option>
 	      before pivoting.  This is to ensure success of the
 	      <citerefentry>
 		<refentrytitle><command>pivot_root</command></refentrytitle>
@@ -1480,7 +1480,7 @@ proc proc proc nodev,noexec,nosuid 0 0
 	      syscall.  Any directory suffices, the default should
 	      generally work.
               -->
-              루트 파일시스템을 변경하기 전에, <option>lxc.rootfs</option>을 어디에 재귀적으로 바인드할지 정한다. 이는 
+              루트 파일시스템을 변경하기 전에, <option>lxc.rootfs.path</option>을 어디에 재귀적으로 바인드할지 정한다. 이는 
 	      <citerefentry>
 		<refentrytitle><command>pivot_root</command></refentrytitle>
 		<manvolnum>8</manvolnum>
@@ -1630,7 +1630,7 @@ proc proc proc nodev,noexec,nosuid 0 0
       <variablelist>
 	<varlistentry>
 	  <term>
-	    <option>lxc.aa_profile</option>
+	    <option>lxc.apparmor.profile</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -1642,7 +1642,7 @@ proc proc proc nodev,noexec,nosuid 0 0
               컨테이너가 따라야할 apparmor 프로파일을 지정한다.
               컨테이너가 apparmor로 인한 제한을 받지 않도록 하려면, 아래와 같이 지정하면 된다.
 	    </para>
-	      <programlisting>lxc.aa_profile = unconfined</programlisting>
+	      <programlisting>lxc.apparmor.profile = unconfined</programlisting>
             <para>
 	      <!--
               If the apparmor profile should remain unchanged (i.e. if you
@@ -1650,12 +1650,12 @@ proc proc proc nodev,noexec,nosuid 0 0
 	      -->
               apparmor 프로파일이 변경되지 않아야 한다면(중첩 컨테이너 안에 있고, 이미 confined된 경우), 아래와 같이 지정하면 된다.
             </para>
-              <programlisting>lxc.aa_profile = unchanged</programlisting>
+              <programlisting>lxc.apparmor.profile = unchanged</programlisting>
 	  </listitem>
 	</varlistentry>
 	<varlistentry>
 	  <term>
-	    <option>lxc.aa_allow_incomplete</option>
+	    <option>lxc.apparmor.allow_incomplete</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -1704,7 +1704,7 @@ proc proc proc nodev,noexec,nosuid 0 0
       <variablelist>
 	<varlistentry>
 	  <term>
-	    <option>lxc.se_context</option>
+	    <option>lxc.selinux.context</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -1714,7 +1714,7 @@ proc proc proc nodev,noexec,nosuid 0 0
               -->
               컨테이너가 따라야할 SELinux 컨텍스트를 지정하거나, <command>unconfined_t</command>를 지정할 수 있다. 예를 들어 아래와 같이 지정 가능하다.
 	    </para>
-	    <programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting>
+	    <programlisting>lxc.selinux.context = system_u:system_r:lxc_t:s0:c22</programlisting>
 	  </listitem>
 	</varlistentry>
       </variablelist>
@@ -1768,7 +1768,7 @@ mknod errno 0
       <variablelist>
 	<varlistentry>
 	  <term>
-	    <option>lxc.seccomp</option>
+	    <option>lxc.seccomp.profile</option>
 	  </term>
 	  <listitem>
 	    <para>
@@ -1889,7 +1889,7 @@ mknod errno 0
 	  <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
 	  <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
 	  <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
-	  <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container.  Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
+	  <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs.path entry for the container.  Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
 	</itemizedlist>
         -->
         컨테이너 훅이 실행될 때, 정보는 명령어 인수나 환경 변수를 통해 넘겨진다.
@@ -1906,7 +1906,7 @@ mknod errno 0
 	  <listitem><para> LXC_ROOTFS_MOUNT: 마운트될 루트 파일시스템의 경로</para></listitem>
 	  <listitem><para> LXC_CONFIG_FILE: 컨테이너 설정파일의 경로</para></listitem>
 	  <listitem><para> LXC_SRC_NAME: clone 훅의 경우, 원본 컨테이너의 이름</para></listitem>
-	  <listitem><para> LXC_ROOTFS_PATH: 컨테이너의 lxc.rootfs 항목. 이 것은 마운트된 루트 파일시스템을 가리키는 것이 아님에 주의해야한다. 그 목적을 위해서는  LXC_ROOTFS_MOUNT를 사용해야 한다.</para></listitem>
+	  <listitem><para> LXC_ROOTFS_PATH: 컨테이너의 lxc.rootfs.path 항목. 이 것은 마운트된 루트 파일시스템을 가리키는 것이 아님에 주의해야한다. 그 목적을 위해서는  LXC_ROOTFS_MOUNT를 사용해야 한다.</para></listitem>
         </itemizedlist>
       </para>
       <para>
@@ -2150,10 +2150,10 @@ mknod errno 0
 	    <para>
               <!--
 	      The path to the console output of the container if not NULL.
-	      [<option>-c</option>] [<option>lxc.console</option>]
+	      [<option>-c</option>] [<option>lxc.console.path</option>]
               -->
               NULL이 아니라면, 컨테이너의 콘솔의 출력이 저장될 경로.
-	      [<option>-c</option>] [<option>lxc.console</option>]
+	      [<option>-c</option>] [<option>lxc.console.path</option>]
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -2206,10 +2206,10 @@ mknod errno 0
               <!--
 	      The host relative path to the container root which has been
 	      mounted to the rootfs.mount location.
-	      [<option>lxc.rootfs</option>]
+	      [<option>lxc.rootfs.path</option>]
               -->
               rootfs.mount에 마운트된 컨테이너 루트의 호스트에서의 경로이다.
-              [<option>lxc.rootfs</option>]
+              [<option>lxc.rootfs.path</option>]
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -2552,8 +2552,8 @@ mknod errno 0
 	lxc.net.0.link = br0
 	lxc.net.0.name = eth0
 	lxc.net.0.hwaddr = 4a:49:43:49:79:bf
-	lxc.net.0.ipv4 = 1.2.3.5/24 1.2.3.255
-	lxc.net.0.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
+	lxc.net.0.ipv4.address = 1.2.3.5/24 1.2.3.255
+	lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
       </programlisting>
     </refsect2>
 
@@ -2601,30 +2601,30 @@ mknod errno 0
 	lxc.net.0.flags = up
 	lxc.net.0.link = br0
 	lxc.net.0.hwaddr = 4a:49:43:49:79:bf
-	lxc.net.0.ipv4 = 10.2.3.5/24 10.2.3.255
-	lxc.net.0.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
-	lxc.net.0.ipv6 = 2003:db8:1:0:214:5432:feab:3588
+	lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
+	lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
+	lxc.net.0.ipv6.address = 2003:db8:1:0:214:5432:feab:3588
 	lxc.net.1.type = macvlan
 	lxc.net.1.flags = up
 	lxc.net.1.link = eth0
 	lxc.net.1.hwaddr = 4a:49:43:49:79:bd
-	lxc.net.1.ipv4 = 10.2.3.4/24
-	lxc.net.1.ipv4 = 192.168.10.125/24
-	lxc.net.1.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
+	lxc.net.1.ipv4.address = 10.2.3.4/24
+	lxc.net.1.ipv4.address = 192.168.10.125/24
+	lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
 	lxc.net.2.type = phys
 	lxc.net.2.flags = up
 	lxc.net.2.link = dummy0
 	lxc.net.2.hwaddr = 4a:49:43:49:79:ff
-	lxc.net.2.ipv4 = 10.2.3.6/24
-	lxc.net.2.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
+	lxc.net.2.ipv4.address = 10.2.3.6/24
+	lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297
 	lxc.cgroup.cpuset.cpus = 0,1
 	lxc.cgroup.cpu.shares = 1234
 	lxc.cgroup.devices.deny = a
 	lxc.cgroup.devices.allow = c 1:3 rw
 	lxc.cgroup.devices.allow = b 8:0 rw
-	lxc.mount = /etc/fstab.complex
+	lxc.mount.fstab = /etc/fstab.complex
 	lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
-	lxc.rootfs = /mnt/rootfs.complex
+	lxc.rootfs.path = dir:/mnt/rootfs.complex
 	lxc.cap.drop = sys_module mknod setuid net_raw
 	lxc.cap.drop = mac_override
       </programlisting>

doc/lxc.container.conf.sgml.in

@@ -1224,7 +1224,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
       <variablelist>
         <varlistentry>
           <term>
-            <option>lxc.aa_profile</option>
+            <option>lxc.apparmor.profile</option>
           </term>
           <listitem>
             <para>
@@ -1232,17 +1232,17 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
               be run.  To specify that the container should be unconfined,
               use
             </para>
-              <programlisting>lxc.aa_profile = unconfined</programlisting>
+              <programlisting>lxc.apparmor.profile = unconfined</programlisting>
             <para>
               If the apparmor profile should remain unchanged (i.e. if you
 	      are nesting containers and are already confined), then use
             </para>
-              <programlisting>lxc.aa_profile = unchanged</programlisting>
+              <programlisting>lxc.apparmor.profile = unchanged</programlisting>
           </listitem>
         </varlistentry>
         <varlistentry>
           <term>
-            <option>lxc.aa_allow_incomplete</option>
+            <option>lxc.apparmor.allow_incomplete</option>
           </term>
           <listitem>
             <para>
@@ -1278,14 +1278,14 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
       <variablelist>
         <varlistentry>
           <term>
-            <option>lxc.se_context</option>
+            <option>lxc.selinux.context</option>
           </term>
           <listitem>
             <para>
               Specify the SELinux context under which the container should
               be run or <command>unconfined_t</command>. For example
             </para>
-            <programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting>
+            <programlisting>lxc.selinux.context = system_u:system_r:lxc_t:s0:c22</programlisting>
           </listitem>
         </varlistentry>
       </variablelist>

src/lxc/confile.c

@@ -1370,7 +1370,7 @@ static int set_config_apparmor_allow_incomplete(const char *key,
 		return -1;
 
 	if (lxc_conf->lsm_aa_allow_incomplete > 1) {
-		ERROR("Wrong value for lxc.lsm_aa_allow_incomplete. Can only "
+		ERROR("Wrong value for lxc.apparmor.allow_incomplete. Can only "
 		      "be set to 0 or 1");
 		return -1;
 	}

src/lxc/lsm/apparmor.c

@@ -218,7 +218,7 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 		WARN("Incomplete AppArmor support in your kernel");
 		if (!conf->lsm_aa_allow_incomplete) {
 			ERROR("If you really want to start this container, set");
-			ERROR("lxc.aa_allow_incomplete = 1");
+			ERROR("lxc.apparmor.allow_incomplete = 1");
 			ERROR("in your container configuration file");
 			return -1;
 		}

src/tests/attach.c

@@ -51,11 +51,11 @@ static void test_lsm_detect(void)
 {
 	if (lsm_enabled()) {
 		if (!strcmp(lsm_name(), "SELinux")) {
-			lsm_config_key = "lxc.se_context";
+			lsm_config_key = "lxc.selinux.context";
 			lsm_label      = "unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023";
 		}
 		else if (!strcmp(lsm_name(), "AppArmor")) {
-			lsm_config_key = "lxc.aa_profile";
+			lsm_config_key = "lxc.apparmor.profile";
 			if (file_exists("/proc/self/ns/cgroup"))
 				lsm_label      = "lxc-container-default-cgns";
 			else

src/tests/lxc-test-apparmor-mount

@@ -170,7 +170,7 @@ fi
 run_cmd lxc-stop -n $cname -k
 
 echo "test regular unconfined container"
-echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
+echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
 run_cmd lxc-start -n $cname -d
 run_cmd lxc-wait -n $cname -s RUNNING
 pid=`run_cmd lxc-info -p -H -n $cname`
@@ -185,7 +185,7 @@ echo "masking $MOUNTSR"
 mount --bind $dnam $MOUNTSR
 
 echo "test default confined container"
-sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
+sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
 run_cmd lxc-start -n $cname -d || true
 sleep 3
 pid=`run_cmd lxc-info -p -H -n $cname` || true
@@ -196,7 +196,7 @@ if [ -n "$pid" -a "$pid" != "-1" ]; then
 fi
 
 echo "test regular unconfined container"
-echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
+echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
 run_cmd lxc-start -n $cname -d
 run_cmd lxc-wait -n $cname -s RUNNING
 pid=`run_cmd lxc-info -p -H -n $cname`
@@ -212,8 +212,8 @@ fi
 run_cmd lxc-stop -n $cname -k
 
 echo "testing override"
-sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
-echo "lxc.aa_allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
+sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
+echo "lxc.apparmor.allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
 run_cmd lxc-start -n $cname -d
 run_cmd lxc-wait -n $cname -s RUNNING
 pid=`run_cmd lxc-info -p -H -n $cname`

src/tests/parse_config_file.c

@@ -371,7 +371,7 @@ int main(int argc, char *argv[])
 	 */
 	if (set_get_compare_clear_save_load(c, "lxc.se_context", "system_u:system_r:lxc_t:s0:c22",
 					    tmpf, true) < 0) {
-		lxc_error("%s\n", "lxc.apparmor.se_context");
+		lxc_error("%s\n", "lxc.se_context");
 		goto non_test_error;
 	}
 
@@ -392,7 +392,7 @@ int main(int argc, char *argv[])
 	/* lxc.selinux.context */
 	if (set_get_compare_clear_save_load(c, "lxc.selinux.context", "system_u:system_r:lxc_t:s0:c22",
 					    tmpf, true) < 0) {
-		lxc_error("%s\n", "lxc.apparmor.selinux.context");
+		lxc_error("%s\n", "lxc.selinux.context");
 		goto non_test_error;
 	}
 

templates/lxc-altlinux.in

@@ -282,7 +282,7 @@ lxc.pty.max = 1024
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 #networking
 #lxc.net.0.type = $lxc_network_type

templates/lxc-busybox.in

@@ -349,7 +349,7 @@ lxc.pty.max = 1
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0

templates/lxc-centos.in

@@ -644,7 +644,7 @@ lxc.arch = $arch
 lxc.uts.name = $utsname
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 # example simple networking setup, uncomment to enable
 #lxc.net.0.type = $lxc_network_type

templates/lxc-cirros.in

@@ -128,7 +128,7 @@ lxc.arch = $arch
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 
 lxc.cgroup.devices.deny = a

templates/lxc-fedora-legacy.in

@@ -1130,7 +1130,7 @@ lxc.arch = $arch
 lxc.uts.name = $utsname
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 # example simple networking setup, uncomment to enable
 #lxc.net.0.type = $lxc_network_type

templates/lxc-fedora.in

@@ -489,7 +489,7 @@ lxc.arch = ${basearch}
 lxc.uts.name = ${utsname}
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 # example simple networking setup, uncomment to enable
 #lxc.net.0.type = ${lxc_network_type}

templates/lxc-openmandriva.in

@@ -235,7 +235,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 #networking
 lxc.net.0.type = $lxc_network_type

templates/lxc-opensuse.in

@@ -355,7 +355,7 @@ lxc.uts.name = $name
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
-lxc.aa_profile = unconfined
+lxc.apparmor.profile = unconfined
 
 # example simple networking setup, uncomment to enable
 #lxc.net.0.type = $lxc_network_type

templates/lxc-pld.in

@@ -248,7 +248,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 lxc.autodev = $auto_dev
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 ## Devices
 # Allow all devices

templates/lxc-sshd.in

@@ -134,7 +134,7 @@ lxc.pty.max = 1024
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
 
 lxc.mount.entry = /dev dev none ro,bind 0 0
 lxc.mount.entry = /lib lib none ro,bind 0 0