From: Stéphane Graber <stgraber@ubuntu.com>
Date: Wed, 14 Oct 2015 20:50:14 +0000 (-0700)
Subject: apparmor: Sync with current git master
X-Git-Tag: lxc-1.0.8~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c94ee7a0d54d189713c0d4775e8f8fbd27dc0e2a;p=thirdparty%2Flxc.git

apparmor: Sync with current git master

This makes stable-1.0, stable-1.1 and master all be in sync with regard
to apparmor. This has the nice added benefit of fixing an apparmor
regression with /dev/pts handling in some older kernels.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
---

diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
index e36196884..b06a84d3b 100644
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -13,6 +13,7 @@
   mount -> /usr/lib/lxc/{**,},
   mount fstype=devpts -> /dev/pts/,
   mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
+  mount options=bind /dev/pts/** -> /dev/**,
   mount options=(rw, make-slave) -> **,
   mount fstype=debugfs,
   # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
index bd7078a84..66aa5fd7d 100644
--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -12,5 +12,5 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
   deny /dev/.lxc/sys/** rw,
   mount fstype=proc -> /var/cache/lxc/**,
   mount fstype=sysfs -> /var/cache/lxc/**,
-  mount options=(rw,bind) /var/cache/lxc/**/dev/shm/ -> /var/cache/lxc/**/run/shm/,
+  mount options=(rw,bind),
 }