]> git.ipfire.org Git - thirdparty/lxc.git/commitdiff
projects / thirdparty / lxc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 66c08be)
apparmor: Allow ro remount of boot_id 3495/head
authorStoiko Ivanov <s.ivanov@proxmox.com>
Wed, 22 Jul 2020 10:17:24 +0000 (12:17 +0200)
committerStoiko Ivanov <s.ivanov@proxmox.com>
Wed, 22 Jul 2020 12:13:39 +0000 (14:13 +0200)
The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
necessary mount calls for /proc/sys/kernel/random/boot_id
(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
config/apparmor/abstractions/start-container.in patch | blob | blame | history

diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
index 9998f1121e16f7c203b3306f82e81d1b3a5c8454..9f64c272715014ea7ba13238d1eaf33bedd58104 100644 (file)
--- a/config/apparmor/abstractions/start-container.in
+++ b/config/apparmor/abstractions/start-container.in
@@ -22,6 +22,7 @@
   mount -> /var/lib/lxc/{**,},
 
   mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
+  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
 
   # required for some pre-mount hooks
   mount fstype=overlayfs,
Mirror of https://github.com/lxc/lxc.git