From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 24 Jul 2018 14:42:26 +0000 (+0200)
Subject: apparmor: allow start-container to change to lxc-**
X-Git-Tag: lxc-3.1.0~192^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=242a9fa7ee7e9f524de5a23917faa846ea525622;p=thirdparty%2Flxc.git

apparmor: allow start-container to change to lxc-**

For generated profiles with apparmor namespaces we get
profile names with slashes in them. To match those, we need
to allow changing to lxc-**, not just lxc-*.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---

diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
index 414d058ba..3df9883e3 100644
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -40,5 +40,6 @@
   pivot_root /usr/lib*/*/lxc/**,
 
   change_profile -> lxc-*,
+  change_profile -> lxc-**,
   change_profile -> unconfined,
   change_profile -> :lxc-*:unconfined,