apparmor: Use more generic allow rule for pivot

Recent fixes in the apparmor kernel code is now making at least the CI
environment and quite possibly some others fail due to an invalid path
in the pivot_root stanza.

So update both lines to allow a more generic pivot_root call for
anything in LXC's work directory.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
index d10996bd70e1baaf1228db31e9b56e4e051e71a4..e31f8f3ba05eb8acbfb7468879e35124d7f033ff 100644 (file)
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -28,8 +28,13 @@
   umount,
   #umount /mnt/{**,},
 
+  # This may look a bit redundant, however it appears we need all of
+  # them if we want things to work properly on all combinations of kernel
+  # and userspace parser...
+  pivot_root /usr/lib/lxc/,
   pivot_root /usr/lib/*/lxc/,
-  pivot_root /usr/lib/lxc/root/,
+  pivot_root /usr/lib/lxc/**,
+  pivot_root /usr/lib/*/lxc/**,
 
   change_profile -> lxc-*,
   change_profile -> unconfined,