From: Scott Moser <smoser@brickies.net>
Date: Fri, 24 Feb 2023 21:48:10 +0000 (-0500)
Subject: Allow fuse mounts in apparmor start-container.
X-Git-Tag: v6.0.0~63^2
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F4281%2Fhead;p=thirdparty%2Flxc.git

Allow fuse mounts in apparmor start-container.

Unprivledged user should be able to do fuse mounts during start-container.
Specifically this solves the problem for un-priv fuse mounting via
pre-hook.

Signed-off-by: Scott Moser <smoser@brickies.net>
---

diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
index 59dcb69ab..4acb1410f 100644
--- a/config/apparmor/abstractions/start-container.in
+++ b/config/apparmor/abstractions/start-container.in
@@ -20,6 +20,7 @@
   mount options=(rw, make-shared) -> **,
   mount options=(rw, make-rshared) -> **,
   mount fstype=debugfs,
+  mount fstype=fuse.*,
   # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
   mount -> /var/lib/lxc/{**,},