Never mind, this won't work until apparmor gets some changes.
Quoting Serge Hallyn ([email protected]): > it will cause hangup of the fuse fs on host. > > Note we could limit this to fuse filesystems only, but I can't see a > good reason to allow force umount from container at all at the moment. > > Signed-off-by: Serge Hallyn <[email protected]> > --- > config/apparmor/abstractions/container-base | 3 +++ > config/apparmor/abstractions/container-base.in | 3 +++ > 2 files changed, 6 insertions(+) > > diff --git a/config/apparmor/abstractions/container-base > b/config/apparmor/abstractions/container-base > index 2d5fd7a..4faed77 100644 > --- a/config/apparmor/abstractions/container-base > +++ b/config/apparmor/abstractions/container-base > @@ -3,6 +3,9 @@ > file, > umount, > > + # prevent containers from causing nfs/fuse hangup on host > + deny umount options=(force), > + > # dbus, signal, ptrace and unix are only supported by recent apparmor > # versions. Comment them if the apparmor parser doesn't recognize them. > > diff --git a/config/apparmor/abstractions/container-base.in > b/config/apparmor/abstractions/container-base.in > index 2065735..56f4da9 100644 > --- a/config/apparmor/abstractions/container-base.in > +++ b/config/apparmor/abstractions/container-base.in > @@ -3,6 +3,9 @@ > file, > umount, > > + # prevent containers from causing nfs/fuse hangup on host > + deny umount options=(force), > + > # dbus, signal, ptrace and unix are only supported by recent apparmor > # versions. Comment them if the apparmor parser doesn't recognize them. > > -- > 2.1.0 > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
