The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/822
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === This is needed to silence apparmor on current Xenial (4.4 kernel) running either trusty or xenial containers.
From 15966fd0861f6472952d27a0910833c900c7d0a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Mon, 15 Feb 2016 20:03:50 -0500 Subject: [PATCH 1/2] Allow sysfs remount by mountall MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- config/apparmor/abstractions/container-base.in | 1 + 1 file changed, 1 insertion(+) diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 3a001d8..e8a39ce 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -87,6 +87,7 @@ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, mount fstype=proc -> /proc/, mount fstype=sysfs -> /sys/, + mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, From 97f9856db3397fad38b9e73976f66b6dc33e82c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Mon, 15 Feb 2016 20:08:09 -0500 Subject: [PATCH 2/2] Allow cgroupfs remount by systemd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- config/apparmor/abstractions/container-base.in | 1 + 1 file changed, 1 insertion(+) diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index e8a39ce..2a3969b 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -92,4 +92,5 @@ deny /sys/kernel/security/** rwklx, mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, mount fstype=cgroup -> /sys/fs/cgroup/**, + mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
