update to current master

[lxc.git] / debian / patches / pve / 0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch

diff --git a/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch b/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
index 74835c3ed433e7bc61e08ccb4da21e3d79472f66..9040b430ecc736870f410107447922e83cc720fa 100644 (file)
--- a/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
+++ b/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
@@ -38,10 +38,10 @@ index 077476559..fbd70fdf5 100644
    # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
  #  mount options=(rw,make-slave) -> **,
 diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
-index 1a3ead89a..39abf348c 100644
+index 2606fb64c..3e61c62ea 100644
 --- a/config/apparmor/abstractions/container-base.in
 +++ b/config/apparmor/abstractions/container-base.in
-@@ -82,7 +82,6 @@
+@@ -83,7 +83,6 @@
    deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
    mount fstype=proc -> /proc/,
    mount fstype=sysfs -> /sys/,
@@ -49,7 +49,7 @@ index 1a3ead89a..39abf348c 100644
    deny /sys/firmware/efi/efivars/** rwklx,
    deny /sys/kernel/security/** rwklx,
    mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
-@@ -90,6 +89,11 @@
+@@ -91,6 +90,11 @@
    # deny reads from debugfs
    deny /sys/kernel/debug/{,**} rwklx,