config/apparmor · lxc-3.1.0 · Chen Yisong / lxc

apparmor: allow various remount,bind options · e6ec0a9e

authored Nov 15, 2018

RW bind mounts need to be restricted for some paths in
order to avoid MAC restriction bypasses, but read-only bind
mounts shouldn't have that problem.

Additionally, combinations of 'nosuid', 'nodev' and
'noexec' flags shouldn't be a problem either and are
required with newer systemd versions, so let's allow those
as long as they're combined with 'ro,remount,bind'.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

e6ec0a9e

Name	Last commit	Last update
..
abstractions		Loading commit data...
profiles		Loading commit data...
Makefile.am		Loading commit data...
README		Loading commit data...
container-rules		Loading commit data...
container-rules.base		Loading commit data...
lxc-containers		Loading commit data...
lxc-generate-aa-rules.py		Loading commit data...
usr.bin.lxc-start		Loading commit data...

README