From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Mon, 31 Mar 2014 22:29:40 +0000 (-0500)
Subject: apparmor: don't allow mounting cgroupfs by default
X-Git-Tag: lxc-1.0.3~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1bca201391fd2eaef26c417044e1045f374392af;p=thirdparty%2Flxc.git

apparmor: don't allow mounting cgroupfs by default

Leave the line to do it (commented out) as some users may not be
using cgmanager, and may in fact still need those mounts.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---

diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
index 245f2f8fc..03325aae1 100644
--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -5,7 +5,8 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
   #include <abstractions/lxc/container-base>
   #include <abstractions/lxc/start-container>
 
-  mount fstype=cgroup -> /sys/fs/cgroup/**,
+#  Uncomment the line below if you are not using cgmanager
+#  mount fstype=cgroup -> /sys/fs/cgroup/**,
 
   mount fstype=proc -> /var/cache/lxc/**,
   mount fstype=sysfs -> /var/cache/lxc/**,