From: Serge Hallyn Date: Thu, 29 Jan 2015 23:50:41 +0000 (+0000) Subject: apparmor: support lxc.ttydir when bind-mounting ptys X-Git-Tag: lxc-1.1.0~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b0c17462ad4f9a05ea6e5ced5e444152ec7a193;p=thirdparty%2Flxc.git apparmor: support lxc.ttydir when bind-mounting ptys Because we now create the ttys from inside the container, we had to add an apparmor rule for start-container to bind-mount /dev/pts/** -> /dev/tty*/. However that's not sufficient if the container sets lxc.ttydir, in which case we need to support mounting onto files in subdirs of /dev. Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber --- diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container index 0d02379dc..b06a84d3b 100644 --- a/config/apparmor/abstractions/start-container +++ b/config/apparmor/abstractions/start-container @@ -13,7 +13,7 @@ mount -> /usr/lib/lxc/{**,}, mount fstype=devpts -> /dev/pts/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, - mount options=bind /dev/pts/** -> /dev/tty*/, + mount options=bind /dev/pts/** -> /dev/**, mount options=(rw, make-slave) -> **, mount fstype=debugfs, # allow pre-mount hooks to stage mounts under /var/lib/lxc//