From: Wolfgang Bumiller Date: Wed, 25 Jul 2018 10:11:23 +0000 (+0200) Subject: apparmor: update current profiles X-Git-Tag: lxc-3.1.0~192^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e6aca3e3e71ae0cfad69456acd1dc503feaf964;p=thirdparty%2Flxc.git apparmor: update current profiles remove cgmanager rules and add fstype=cgroup2 variants for the existing fstype=cgroup rules Signed-off-by: Wolfgang Bumiller --- diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 16529bbf0..11ec5c45b 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -85,7 +85,6 @@ mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, - mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, # deny reads from debugfs diff --git a/config/apparmor/profiles/lxc-default-cgns b/config/apparmor/profiles/lxc-default-cgns index ff599ef81..f69eb994b 100644 --- a/config/apparmor/profiles/lxc-default-cgns +++ b/config/apparmor/profiles/lxc-default-cgns @@ -9,4 +9,5 @@ profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) { # the newinstance option (but, right now, we don't). deny mount fstype=devpts, mount fstype=cgroup -> /sys/fs/cgroup/**, + mount fstype=cgroup2 -> /sys/fs/cgroup/**, } diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting index 6e5745f97..cd198beb8 100644 --- a/config/apparmor/profiles/lxc-default-with-nesting +++ b/config/apparmor/profiles/lxc-default-with-nesting @@ -11,4 +11,5 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de mount fstype=sysfs -> /var/cache/lxc/**, mount options=(rw,bind), mount fstype=cgroup -> /sys/fs/cgroup/**, + mount fstype=cgroup2 -> /sys/fs/cgroup/**, }