[mirror_lxc.git] / config / apparmor / abstractions / start-container.in

  network,
  capability,
  file,

  # The following 3 entries are only supported by recent apparmor versions.
  # Comment them if the apparmor parser doesn't recognize them.
  dbus,
  signal,
  ptrace,

  # currently blocked by apparmor bug
  mount -> /usr/lib*/*/lxc/{**,},
  mount -> /usr/lib*/lxc/{**,},
  mount -> @LXCROOTFSMOUNT@/{,**},
  mount fstype=devpts -> /dev/pts/,
  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
  mount options=bind /dev/pts/** -> /dev/**,
  mount options=(rw, make-slave) -> **,
  mount options=(rw, make-rslave) -> **,
  mount fstype=debugfs,
  # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
  mount -> /var/lib/lxc/{**,},

  # required for some pre-mount hooks
  mount fstype=overlayfs,
  mount fstype=aufs,
  mount fstype=ecryptfs,

  # all umounts are under the original root's /mnt, but right now we
  # can't allow those umounts after pivot_root.  So allow all umounts
  # right now.  They'll be restricted for the container at least.
  umount,
  #umount /mnt/{**,},

  # This may look a bit redundant, however it appears we need all of
  # them if we want things to work properly on all combinations of kernel
  # and userspace parser...
  pivot_root /usr/lib*/lxc/,
  pivot_root /usr/lib*/*/lxc/,
  pivot_root /usr/lib*/lxc/**,
  pivot_root /usr/lib*/*/lxc/**,
  pivot_root @LXCROOTFSMOUNT@/{,**},

  change_profile -> lxc-*,
  change_profile -> lxc-**,
  change_profile -> unconfined,
  change_profile -> :lxc-*:unconfined,
Commit	Line	Data
8da250da SG	1	network,
	2	capability,
	3	file,
2a31251c SG	4
	5	# The following 3 entries are only supported by recent apparmor versions.
	6	# Comment them if the apparmor parser doesn't recognize them.
8da250da	7	dbus,
2a31251c SG	8	signal,
2a31251c SG	9	ptrace,
8da250da SG	10
8da250da SG	11	# currently blocked by apparmor bug
733e3757 MC	12	mount -> /usr/lib//lxc/{**,},
733e3757 MC	13	mount -> /usr/lib/lxc/{*,},
b19c5d12	14	mount -> @LXCROOTFSMOUNT@/{,**},
8da250da SG	15	mount fstype=devpts -> /dev/pts/,
8da250da SG	16	mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
1b0c1746	17	mount options=bind /dev/pts/ -> /dev/,
64b4c7a3	18	mount options=(rw, make-slave) -> **,
667cfb7c	19	mount options=(rw, make-rslave) -> **,
8da250da SG	20	mount fstype=debugfs,
	21	# allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
	22	mount -> /var/lib/lxc/{**,},
	23
a9145d62	24	# required for some pre-mount hooks
8da250da SG	25	mount fstype=overlayfs,
	26	mount fstype=aufs,
	27	mount fstype=ecryptfs,
	28
	29	# all umounts are under the original root's /mnt, but right now we
	30	# can't allow those umounts after pivot_root. So allow all umounts
	31	# right now. They'll be restricted for the container at least.
	32	umount,
	33	#umount /mnt/{**,},
	34
524505b9 SG	35	# This may look a bit redundant, however it appears we need all of
	36	# them if we want things to work properly on all combinations of kernel
	37	# and userspace parser...
733e3757 MC	38	pivot_root /usr/lib*/lxc/,
	39	pivot_root /usr/lib//lxc/,
	40	pivot_root /usr/lib/lxc/*,
	41	pivot_root /usr/lib//lxc/**,
b19c5d12	42	pivot_root @LXCROOTFSMOUNT@/{,**},
8da250da SG	43
8da250da SG	44	change_profile -> lxc-*,
242a9fa7	45	change_profile -> lxc-**,
8da250da	46	change_profile -> unconfined,
d680929b	47	change_profile -> :lxc-*:unconfined,