apparmor: Allow slave bind mounts

Without this, if the system uses shared subtrees by default (like systemd), you
get a large stream of

  lxc-start: Permission denied - Failed to make /<mountpoint> rslave
  lxc-start: Continuing...

with

  apparmor="DENIED" operation="mount" info="failed flags match" error=-13
  profile="/usr/bin/lxc-start" name="/" pid=17284 comm="lxc-start" flags="rw, slave"

and eventual failure plus a lot of leftover mounts in the host.

https://launchpad.net/bugs/1325468

diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
index e31f8f3ba05eb8acbfb7468879e35124d7f033ff..1bb94c62659c465cd6955bb810061d09ce6a6fc1 100644 (file)
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -13,6 +13,7 @@
   mount -> /usr/lib/lxc/{**,},
   mount fstype=devpts -> /dev/pts/,
   mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
+  mount options=(rw, slave) -> /,
   mount fstype=debugfs,
   # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
   mount -> /var/lib/lxc/{**,},