From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Mon, 22 Sep 2014 14:18:07 +0000 (+0000)
Subject: document the new lxc.aa_allow_incomplete flag
X-Git-Tag: lxc-1.1.0.alpha2~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93c709b;p=thirdparty%2Flxc.git

document the new lxc.aa_allow_incomplete flag

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 8dbab5f01..49fe493cd 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1041,6 +1041,27 @@ proc proc proc nodev,noexec,nosuid 0 0
 	      <programlisting>lxc.aa_profile = unconfined</programlisting>
 	  </listitem>
 	</varlistentry>
+	<varlistentry>
+	  <term>
+	    <option>lxc.aa_allow_incomplete</option>
+	  </term>
+	  <listitem>
+	    <para>
+	      Apparmor profiles are pathname based.  Therefore many file
+	      restrictions require mount restrictions to be effective against
+	      a determined attacker.  However, these mount restrictions are not
+	      yet implemented in the upstream kernel.  Without the mount
+	      restrictions, the apparmor profiles still protect against accidental
+	      damager.
+	    </para>
+	    <para>
+	      If this flag is 0 (default), then the container will not be
+	      started if the kernel lacks the apparmor mount features, so that a
+	      regression after a kernel upgrade will be detected.  To start the
+	      container under partial apparmor protection, set this flag to 1.
+	    </para>
+	  </listitem>
+	</varlistentry>
       </variablelist>
     </refsect2>