From 833bf9c2b29ff03cb5e5e1db089d25757f4a2647 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Thu, 28 Jan 2016 17:48:55 +0100
Subject: [PATCH] allow cgroupfs mounts under /sys/fs/cgroup

Systemd needs to be able to do these, and it does not bypass
any of our apparmor rules.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
 config/apparmor/abstractions/container-base.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 235913b52..1121256d7 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -86,4 +86,5 @@
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
+  mount fstype=cgroup -> /sys/fs/cgroup/**,
 
-- 
2.47.2