From: Martin Pitt <martin.pitt@ubuntu.com>
Date: Thu, 8 Jan 2015 12:09:37 +0000 (+0100)
Subject: apparmor: Fix slave bind mounts
X-Git-Tag: lxc-1.1.0.rc1~42^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F393%2Fhead;p=thirdparty%2Flxc.git

apparmor: Fix slave bind mounts

The permission to make a mount "slave" is spelt "make-slave", not "slave", see
https://launchpad.net/bugs/1401619. Also, we need to make all mounts slave, not
just the root dir.

https://launchpad.net/bugs/1350947
---

diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
index 1bb94c626..e36196884 100644
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -13,7 +13,7 @@
   mount -> /usr/lib/lxc/{**,},
   mount fstype=devpts -> /dev/pts/,
   mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
-  mount options=(rw, slave) -> /,
+  mount options=(rw, make-slave) -> **,
   mount fstype=debugfs,
   # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
   mount -> /var/lib/lxc/{**,},