lxc-containers \
lxc-generate-aa-rules.py \
profiles/lxc-default \
+ profiles/lxc-default-cgns \
profiles/lxc-default-with-mounting \
profiles/lxc-default-with-nesting \
usr.bin.lxc-start
$(INSTALL_DATA) abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
$(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
$(INSTALL_DATA) profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+ $(INSTALL_DATA) profiles/lxc-default-cgns $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
$(INSTALL_DATA) profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
$(INSTALL_DATA) profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
$(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc-containers
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-nesting
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-mounting
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-cgns
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/start-container
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/container-base
--- /dev/null
+# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
+ #include <abstractions/lxc/container-base>
+
+ # the container may never be allowed to mount devpts. If it does, it
+ # will remount the host's devpts. We could allow it to do it with
+ # the newinstance option (but, right now, we don't).
+ deny mount fstype=devpts,
+ mount fstype=cgroup -> /sys/fs/cgroup/**,
+}
projects / thirdparty / lxc.git / commitdiff
