debian/patches/0001-apparmor-allow-binding-run-lock-var-run-lock.patch

   1 From 4a491a31c23e64f29152a4b5e4ff07b361074261 Mon Sep 17 00:00:00 2001
   2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
   3 Date: Tue, 2 Feb 2016 09:13:04 +0100
   4 Subject: [PATCH] apparmor: allow binding /run/{,lock/} -> /var/run/{,lock/}
   5
   6 Some systems need to be able to bind-mount /run to /var/run
   7 and /run/lock to /var/run/lock. (Tested with opensuse 13.1
   8 containers migrated from openvz.)
   9
  10 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  11 ---
  12  config/apparmor/abstractions/container-base.in | 4 ++++
  13  1 file changed, 4 insertions(+)
  14
  15 diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
  16 index 1121256..3a001d8 100644
  17 --- a/config/apparmor/abstractions/container-base.in
  18 +++ b/config/apparmor/abstractions/container-base.in
  19 @@ -62,6 +62,10 @@
  20    # allow bind mount of /lib/init/fstab for lxcguest
  21    mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
  22
  23 +  # allow bind mounts of /run/{,lock} to /var/run/{,lock}
  24 +  mount options=(rw, bind) /run/ -> /var/run/,
  25 +  mount options=(rw, bind) /run/lock/ -> /var/lock/,
  26 +
  27    # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
  28    mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  29    deny @{PROC}/sys/fs/** wklx,
  30 --
  31 2.1.4
  32