From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Thu, 28 Jan 2016 16:48:55 +0000 (+0100)
Subject: allow cgroupfs mounts under /sys/fs/cgroup
X-Git-Tag: lxc-2.0.0.beta2~16^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F777%2Fhead;p=thirdparty%2Flxc.git

allow cgroupfs mounts under /sys/fs/cgroup

Systemd needs to be able to do these, and it does not bypass
any of our apparmor rules.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 235913b52..1121256d7 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -86,4 +86,5 @@
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
+  mount fstype=cgroup -> /sys/fs/cgroup/**,