From 3646e8acef3986514ca12194dc8a688897928423 Mon Sep 17 00:00:00 2001
From: Stoiko Ivanov <s.ivanov@proxmox.com>
Date: Wed, 22 Jul 2020 12:17:24 +0200
Subject: [PATCH] apparmor: Allow ro remount of boot_id

The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
necessary mount calls for /proc/sys/kernel/random/boot_id
(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 config/apparmor/abstractions/start-container.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
index 9998f1121..9f64c2727 100644
--- a/config/apparmor/abstractions/start-container.in
+++ b/config/apparmor/abstractions/start-container.in
@@ -22,6 +22,7 @@
   mount -> /var/lib/lxc/{**,},
 
   mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
+  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
 
   # required for some pre-mount hooks
   mount fstype=overlayfs,
-- 
2.47.2