From 524505b9714beac89f4952296cefa9f997168b98 Mon Sep 17 00:00:00 2001 From: =?utf8?q?St=C3=A9phane=20Graber?= Date: Tue, 8 Apr 2014 13:17:27 -0400 Subject: [PATCH] apparmor: Use more generic allow rule for pivot MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Recent fixes in the apparmor kernel code is now making at least the CI environment and quite possibly some others fail due to an invalid path in the pivot_root stanza. So update both lines to allow a more generic pivot_root call for anything in LXC's work directory. Signed-off-by: Stéphane Graber Acked-by: Serge E. Hallyn --- config/apparmor/abstractions/start-container | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container index d10996bd7..e31f8f3ba 100644 --- a/config/apparmor/abstractions/start-container +++ b/config/apparmor/abstractions/start-container @@ -28,8 +28,13 @@ umount, #umount /mnt/{**,}, + # This may look a bit redundant, however it appears we need all of + # them if we want things to work properly on all combinations of kernel + # and userspace parser... + pivot_root /usr/lib/lxc/, pivot_root /usr/lib/*/lxc/, - pivot_root /usr/lib/lxc/root/, + pivot_root /usr/lib/lxc/**, + pivot_root /usr/lib/*/lxc/**, change_profile -> lxc-*, change_profile -> unconfined, -- 2.47.3