Allow sysfs remount by mountall

author Stéphane Graber <stgraber@ubuntu.com>

Tue, 16 Feb 2016 01:03:50 +0000 (20:03 -0500)

committer Stéphane Graber <stgraber@ubuntu.com>

Tue, 16 Feb 2016 01:03:50 +0000 (20:03 -0500)
author Stéphane Graber <stgraber@ubuntu.com>
Tue, 16 Feb 2016 01:03:50 +0000 (20:03 -0500)
committer Stéphane Graber <stgraber@ubuntu.com>
Tue, 16 Feb 2016 01:03:50 +0000 (20:03 -0500)
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in

index 3a001d83ad1b5a1c6a559ea92afd5e6176ef5435..e8a39ce3b5ec11f36ded094a9555e6b422f53911 100644 (file)
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -87,6 +87,7 @@
    deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
    mount fstype=proc -> /proc/,
    mount fstype=sysfs -> /sys/,
+  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
    deny /sys/firmware/efi/efivars/** rwklx,
    deny /sys/kernel/security/** rwklx,
    mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
author	Stéphane Graber <stgraber@ubuntu.com>
	Tue, 16 Feb 2016 01:03:50 +0000 (20:03 -0500)
committer	Stéphane Graber <stgraber@ubuntu.com>
	Tue, 16 Feb 2016 01:03:50 +0000 (20:03 -0500)