[lxc.git] / debian / patches / extra / 0009-apparmor-update-current-profiles.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 25 Jul 2018 12:11:23 +0200
Subject: [PATCH] apparmor: update current profiles

remove cgmanager rules and add fstype=cgroup2 variants for
the existing fstype=cgroup rules

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
(cherry picked from commit 6e6aca3e3e71ae0cfad69456acd1dc503feaf964)
---
 config/apparmor/abstractions/container-base.in    | 1 -
 config/apparmor/profiles/lxc-default-cgns         | 1 +
 config/apparmor/profiles/lxc-default-with-nesting | 1 +
 3 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 54f9ddf0..0844fdbb 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -84,7 +84,6 @@
   mount fstype=sysfs -> /sys/,
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
-  mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
 
   # deny reads from debugfs
diff --git a/config/apparmor/profiles/lxc-default-cgns b/config/apparmor/profiles/lxc-default-cgns
index ff599ef8..f69eb994 100644
--- a/config/apparmor/profiles/lxc-default-cgns
+++ b/config/apparmor/profiles/lxc-default-cgns
@@ -9,4 +9,5 @@ profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
   # the newinstance option (but, right now, we don't).
   deny mount fstype=devpts,
   mount fstype=cgroup -> /sys/fs/cgroup/**,
+  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
 }
diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
index 6e5745f9..cd198beb 100644
--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -11,4 +11,5 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
   mount fstype=sysfs -> /var/cache/lxc/**,
   mount options=(rw,bind),
   mount fstype=cgroup -> /sys/fs/cgroup/**,
+  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
 }
-- 
2.11.0
Commit	Line	Data
2d8021b3 WB	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Wolfgang Bumiller <w.bumiller@proxmox.com>
	3	Date: Wed, 25 Jul 2018 12:11:23 +0200
	4	Subject: [PATCH] apparmor: update current profiles
	5
	6	remove cgmanager rules and add fstype=cgroup2 variants for
	7	the existing fstype=cgroup rules
	8
	9	Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
	10	(cherry picked from commit 6e6aca3e3e71ae0cfad69456acd1dc503feaf964)
	11	---
	12	config/apparmor/abstractions/container-base.in \| 1 -
	13	config/apparmor/profiles/lxc-default-cgns \| 1 +
	14	config/apparmor/profiles/lxc-default-with-nesting \| 1 +
	15	3 files changed, 2 insertions(+), 1 deletion(-)
	16
	17	diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
	18	index 54f9ddf0..0844fdbb 100644
	19	--- a/config/apparmor/abstractions/container-base.in
	20	+++ b/config/apparmor/abstractions/container-base.in
	21	@@ -84,7 +84,6 @@
	22	mount fstype=sysfs -> /sys/,
	23	deny /sys/firmware/efi/efivars/** rwklx,
	24	deny /sys/kernel/security/** rwklx,
	25	- mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
	26	mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
	27
	28	# deny reads from debugfs
	29	diff --git a/config/apparmor/profiles/lxc-default-cgns b/config/apparmor/profiles/lxc-default-cgns
	30	index ff599ef8..f69eb994 100644
	31	--- a/config/apparmor/profiles/lxc-default-cgns
	32	+++ b/config/apparmor/profiles/lxc-default-cgns
	33	@@ -9,4 +9,5 @@ profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
	34	# the newinstance option (but, right now, we don't).
	35	deny mount fstype=devpts,
	36	mount fstype=cgroup -> /sys/fs/cgroup/**,
	37	+ mount fstype=cgroup2 -> /sys/fs/cgroup/**,
	38	}
	39	diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
	40	index 6e5745f9..cd198beb 100644
	41	--- a/config/apparmor/profiles/lxc-default-with-nesting
	42	+++ b/config/apparmor/profiles/lxc-default-with-nesting
	43	@@ -11,4 +11,5 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
	44	mount fstype=sysfs -> /var/cache/lxc/**,
	45	mount options=(rw,bind),
	46	mount fstype=cgroup -> /sys/fs/cgroup/**,
	47	+ mount fstype=cgroup2 -> /sys/fs/cgroup/**,
	48	}
	49	--
	50	2.11.0
	51