debian/patches/extra/0009-apparmor-update-current-profiles.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
   3 Date: Wed, 25 Jul 2018 12:11:23 +0200
   4 Subject: [PATCH] apparmor: update current profiles
   5
   6 remove cgmanager rules and add fstype=cgroup2 variants for
   7 the existing fstype=cgroup rules
   8
   9 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  10 (cherry picked from commit 6e6aca3e3e71ae0cfad69456acd1dc503feaf964)
  11 ---
  12  config/apparmor/abstractions/container-base.in    | 1 -
  13  config/apparmor/profiles/lxc-default-cgns         | 1 +
  14  config/apparmor/profiles/lxc-default-with-nesting | 1 +
  15  3 files changed, 2 insertions(+), 1 deletion(-)
  16
  17 diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
  18 index 54f9ddf0..0844fdbb 100644
  19 --- a/config/apparmor/abstractions/container-base.in
  20 +++ b/config/apparmor/abstractions/container-base.in
  21 @@ -84,7 +84,6 @@
  22    mount fstype=sysfs -> /sys/,
  23    deny /sys/firmware/efi/efivars/** rwklx,
  24    deny /sys/kernel/security/** rwklx,
  25 -  mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
  26    mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
  27
  28    # deny reads from debugfs
  29 diff --git a/config/apparmor/profiles/lxc-default-cgns b/config/apparmor/profiles/lxc-default-cgns
  30 index ff599ef8..f69eb994 100644
  31 --- a/config/apparmor/profiles/lxc-default-cgns
  32 +++ b/config/apparmor/profiles/lxc-default-cgns
  33 @@ -9,4 +9,5 @@ profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  34    # the newinstance option (but, right now, we don't).
  35    deny mount fstype=devpts,
  36    mount fstype=cgroup -> /sys/fs/cgroup/**,
  37 +  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
  38  }
  39 diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
  40 index 6e5745f9..cd198beb 100644
  41 --- a/config/apparmor/profiles/lxc-default-with-nesting
  42 +++ b/config/apparmor/profiles/lxc-default-with-nesting
  43 @@ -11,4 +11,5 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
  44    mount fstype=sysfs -> /var/cache/lxc/**,
  45    mount options=(rw,bind),
  46    mount fstype=cgroup -> /sys/fs/cgroup/**,
  47 +  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
  48  }
  49 --
  50 2.11.0
  51