From: Stoiko Ivanov <s.ivanov@proxmox.com>
Date: Wed, 22 Jul 2020 10:17:24 +0000 (+0200)
Subject: apparmor: Allow ro remount of boot_id
X-Git-Tag: lxc-5.0.0~385^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3495%2Fhead;p=thirdparty%2Flxc.git

apparmor: Allow ro remount of boot_id

The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
necessary mount calls for /proc/sys/kernel/random/boot_id
(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---

diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
index 9998f1121..9f64c2727 100644
--- a/config/apparmor/abstractions/start-container.in
+++ b/config/apparmor/abstractions/start-container.in
@@ -22,6 +22,7 @@
   mount -> /var/lib/lxc/{**,},
 
   mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
+  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
 
   # required for some pre-mount hooks
   mount fstype=overlayfs,