On Thu, Jun 23, 2016 at 11:04:20AM +0200, Wolfgang Bumiller wrote: > On Thu, Jun 23, 2016 at 09:52:02AM +0200, Wolfgang Bumiller wrote: > > Just noticed this one of the two patches is still applied. > > I meant *not* applied... sorry :\
My recent apparmor change allows shared, private, rshared and rprivate mounts for any path inside the container. I wonder if that's somehow enough or if we also need to have specific rules for make-{r}{private,shared}. > > > > > On Mon, Nov 30, 2015 at 08:58:52AM +0100, Wolfgang Bumiller wrote: > > > The profile already contains > > > mount options=(rw, make-slave) -> **, > > > > > > Which allows going through all mountpoints with make-slave, > > > so it seems to make sense to also allow the directly > > > recursive variant with "make-rslave". > > > > > > Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> > > > Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com> > > > --- > > > config/apparmor/abstractions/start-container | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/config/apparmor/abstractions/start-container > > > b/config/apparmor/abstractions/start-container > > > index b06a84d..eee0c2f 100644 > > > --- a/config/apparmor/abstractions/start-container > > > +++ b/config/apparmor/abstractions/start-container > > > @@ -15,6 +15,7 @@ > > > mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, > > > mount options=bind /dev/pts/** -> /dev/**, > > > mount options=(rw, make-slave) -> **, > > > + mount options=(rw, make-rslave) -> **, > > > mount fstype=debugfs, > > > # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/ > > > mount -> /var/lib/lxc/{**,}, > > > -- > > > 2.1.4 > > > > > > > > > _______________________________________________ > > > lxc-devel mailing list > > > lxc-devel@lists.linuxcontainers.org > > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > > > _______________________________________________ > > lxc-devel mailing list > > lxc-devel@lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > _______________________________________________ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: PGP signature
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel