From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 2 Feb 2016 08:13:04 +0000 (+0100)
Subject: apparmor: allow binding /run/{,lock/} -> /var/run/{,lock/}
X-Git-Tag: lxc-1.0.9~95
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7f910ce29be2dc845702564cb8079d36d0f12b5;p=thirdparty%2Flxc.git

apparmor: allow binding /run/{,lock/} -> /var/run/{,lock/}

Some systems need to be able to bind-mount /run to /var/run
and /run/lock to /var/run/lock. (Tested with opensuse 13.1
containers migrated from openvz.)

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 235913b52..c0bb2977b 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -62,6 +62,10 @@
   # allow bind mount of /lib/init/fstab for lxcguest
   mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
 
+  # allow bind mounts of /run/{,lock} to /var/run/{,lock}
+  mount options=(rw, bind) /run/ -> /var/run/,
+  mount options=(rw, bind) /run/lock/ -> /var/lock/,
+
   # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
   mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
   deny @{PROC}/sys/fs/** wklx,