From: Stéphane Graber <stgraber@ubuntu.com>
Date: Tue, 8 Apr 2014 17:17:27 +0000 (-0400)
Subject: apparmor: Use more generic allow rule for pivot
X-Git-Tag: lxc-1.1.0.alpha1~154
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=524505b9714beac89f4952296cefa9f997168b98;p=thirdparty%2Flxc.git

apparmor: Use more generic allow rule for pivot

Recent fixes in the apparmor kernel code is now making at least the CI
environment and quite possibly some others fail due to an invalid path
in the pivot_root stanza.

So update both lines to allow a more generic pivot_root call for
anything in LXC's work directory.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
index d10996bd7..e31f8f3ba 100644
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -28,8 +28,13 @@
   umount,
   #umount /mnt/{**,},
 
+  # This may look a bit redundant, however it appears we need all of
+  # them if we want things to work properly on all combinations of kernel
+  # and userspace parser...
+  pivot_root /usr/lib/lxc/,
   pivot_root /usr/lib/*/lxc/,
-  pivot_root /usr/lib/lxc/root/,
+  pivot_root /usr/lib/lxc/**,
+  pivot_root /usr/lib/*/lxc/**,
 
   change_profile -> lxc-*,
   change_profile -> unconfined,