From 7987eddb9f916b67110fb2d04470bed10022f67f Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Wed, 30 Jul 2014 16:43:10 +0200 Subject: [PATCH] apparmor: Allow slave bind mounts Without this, if the system uses shared subtrees by default (like systemd), you get a large stream of lxc-start: Permission denied - Failed to make / rslave lxc-start: Continuing... with apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=17284 comm="lxc-start" flags="rw, slave" and eventual failure plus a lot of leftover mounts in the host. https://launchpad.net/bugs/1325468 --- config/apparmor/abstractions/start-container | 1 + 1 file changed, 1 insertion(+) diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container index e31f8f3ba..1bb94c626 100644 --- a/config/apparmor/abstractions/start-container +++ b/config/apparmor/abstractions/start-container @@ -13,6 +13,7 @@ mount -> /usr/lib/lxc/{**,}, mount fstype=devpts -> /dev/pts/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, + mount options=(rw, slave) -> /, mount fstype=debugfs, # allow pre-mount hooks to stage mounts under /var/lib/lxc// mount -> /var/lib/lxc/{**,}, -- 2.47.2