bump version to 3.0.2+pve1-1

[lxc.git] / debian / patches / pve / 0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch

diff --git a/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch b/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
index 0fec1ba317ac31676685cd79852972d29793c84c..902fe4e1a3a52a0c4f816ca0fdded4a10bea6b39 100644 (file)
--- a/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
+++ b/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
@@ -38,7 +38,7 @@ index a5e6c35f..4c3a4ba8 100644
    # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
  #  mount options=(rw,make-slave) -> **,
 diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
-index 16529bbf..54f9ddf0 100644
+index 11ec5c45..0844fdbb 100644
 --- a/config/apparmor/abstractions/container-base.in
 +++ b/config/apparmor/abstractions/container-base.in
 @@ -82,7 +82,6 @@
@@ -48,8 +48,8 @@ index 16529bbf..54f9ddf0 100644
 -  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
    deny /sys/firmware/efi/efivars/** rwklx,
    deny /sys/kernel/security/** rwklx,
-   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
-@@ -91,6 +90,11 @@
+   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
+@@ -90,6 +89,11 @@
    # deny reads from debugfs
    deny /sys/kernel/debug/{,**} rwklx,