From: KATOH Yasufumi <karma@jazz.email.ne.jp>
Date: Wed, 27 Mar 2019 07:56:20 +0000 (+0900)
Subject: doc: Add the description of apparmor profile generation to man pages
X-Git-Tag: lxc-3.2.0~110^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8dca2bd3aee03129db01e5d94a3686bcd886dba9;p=thirdparty%2Flxc.git

doc: Add the description of apparmor profile generation to man pages

Only add to English and Japanese man pages.

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
---

diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
index 6671221e3..7db396f45 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
@@ -2337,6 +2337,14 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               ãã apparmor ãã­ãã¡ã¤ã«ãå¤æ´ãããªãã¾ã¾ã§ãªãã¦ã¯ãªããªãå ´å (ãã¹ãããã³ã³ããã§ããå ´åãããã§ã« confined ããã¦ããå ´å) ã¯ä»¥ä¸ã®ããã«è¨­å®ãã¾ãã
             </para>
               <programlisting>lxc.apparmor.profile = unchanged</programlisting>
+            <para>
+              <!--
+                If you instruct LXC to generate the apparmor profile,
+                then use
+                -->
+              ãã LXC ã« AppArmor ãã­ãã¡ã¤ã«ãçæããããã«æç¤ºããã«ã¯æ¬¡ã®ããã«è¨­å®ãã¾ãã
+            </para>
+              <programlisting>lxc.apparmor.profile = generated</programlisting>
           </listitem>
         </varlistentry>
         <varlistentry>
@@ -2368,6 +2376,46 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
             </para>
           </listitem>
         </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>lxc.apparmor.allow_nesting</option>
+          </term>
+          <listitem>
+            <para>
+              <!--
+              If set this to 1, causes the following changes. When
+              generated apparmor profiles are used, they will contain
+              the necessary changes to allow creating a nested
+              container. In addition to the usual mount points,
+              <filename>/dev/.lxc/proc</filename>
+              and <filename>/dev/.lxc/sys</filename> will contain
+              procfs and sysfs mount points without the lxcfs
+              overlays, which, if generated apparmor profiles are
+              being used, will not be read/writable directly.
+              -->
+              1 ã«è¨­å®ããã¨æ¬¡ã®ãããªå¤æ´ãè¡ããã¾ãã
+              generated ãª AppArmor ãã­ãã¡ã¤ã«ãä½¿ãããå ´åããã¹ãããã³ã³ãããä½¿ãã®ã«å¿è¦ãªå¤æ´ãå«ã¾ãã¾ããéå¸¸ã®ãã¦ã³ããã¤ã³ãã«å ãã¦ãlxcfs ã®ãªã¼ãã¼ã¬ã¤ãªãã§ã<filename>/dev/.lxc/proc</filename> ã¨ <filename>/dev/.lxc/sys</filename> ã procfs ã¨ sysfs ã®ãã¦ã³ããã¤ã³ãã«å«ã¾ãã¾ãã
+              generated ãª AppArmor ãã­ãã¡ã¤ã«ãä½¿ããã¦ããå ´åã¯ãç´æ¥èª­ã¿æ¸ãã¯ã§ãã¾ãã
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>lxc.apparmor.raw</option>
+          </term>
+          <listitem>
+            <para>
+              <!--
+              A list of raw AppArmor profile lines to append to the
+              profile. Only valid when using generated profiles.
+                -->
+              ãã­ãã¡ã¤ã«ã«å ãããçã® AppArmor ãã­ãã¡ã¤ã«è¡ã®ãªã¹ãã§ããgenerated ãªãã­ãã¡ã¤ã«ãä½¿ã£ã¦ããã¨ãã®ã¿æå¹ã§ãã
+            </para>
+          </listitem>
+        </varlistentry>
+
       </variablelist>
     </refsect2>
 
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index ff90d07b0..ee78e49a3 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1751,6 +1751,11 @@ dev/null proc/kcore none bind,relative 0 0
 	      are nesting containers and are already confined), then use
             </para>
               <programlisting>lxc.apparmor.profile = unchanged</programlisting>
+            <para>
+              If you instruct LXC to generate the apparmor profile,
+              then use
+            </para>
+              <programlisting>lxc.apparmor.profile = generated</programlisting>
           </listitem>
         </varlistentry>
         <varlistentry>
@@ -1774,6 +1779,38 @@ dev/null proc/kcore none bind,relative 0 0
             </para>
           </listitem>
         </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>lxc.apparmor.allow_nesting</option>
+          </term>
+          <listitem>
+            <para>
+              If set this to 1, causes the following changes. When
+              generated apparmor profiles are used, they will contain
+              the necessary changes to allow creating a nested
+              container. In addition to the usual mount points,
+              <filename>/dev/.lxc/proc</filename>
+              and <filename>/dev/.lxc/sys</filename> will contain
+              procfs and sysfs mount points without the lxcfs
+              overlays, which, if generated apparmor profiles are
+              being used, will not be read/writable directly.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>lxc.apparmor.raw</option>
+          </term>
+          <listitem>
+            <para>
+              A list of raw AppArmor profile lines to append to the
+              profile. Only valid when using generated profiles.
+            </para>
+          </listitem>
+        </varlistentry>
+
       </variablelist>
     </refsect2>
 
