From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 27 Jun 2016 20:20:00 +0000 (-0400)
Subject: AppArmor: add make-rslave to usr.bin.lxc-start
X-Git-Tag: lxc-2.1.0~402
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=667cfb7c2d48e896a1c56f839d586fd936b19b9f;p=thirdparty%2Flxc.git

AppArmor: add make-rslave to usr.bin.lxc-start

The profile already contains
  mount options=(rw, make-slave) -> **,

Which allows going through all mountpoints with make-slave,
so it seems to make sense to also allow the directly
recursive variant with "make-rslave".

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
index b06a84d3b..eee0c2f2b 100644
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -15,6 +15,7 @@
   mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
   mount options=bind /dev/pts/** -> /dev/**,
   mount options=(rw, make-slave) -> **,
+  mount options=(rw, make-rslave) -> **,
   mount fstype=debugfs,
   # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
   mount -> /var/lib/lxc/{**,},