debian/patches/extra/0011-apparmor-allow-start-container-to-change-to-lxc.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
   3 Date: Tue, 24 Jul 2018 16:42:26 +0200
   4 Subject: [PATCH] apparmor: allow start-container to change to lxc-**
   5
   6 For generated profiles with apparmor namespaces we get
   7 profile names with slashes in them. To match those, we need
   8 to allow changing to lxc-**, not just lxc-*.
   9
  10 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  11 (cherry picked from commit 242a9fa7ee7e9f524de5a23917faa846ea525622)
  12 ---
  13  config/apparmor/abstractions/start-container | 1 +
  14  1 file changed, 1 insertion(+)
  15
  16 diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
  17 index 414d058b..3df9883e 100644
  18 --- a/config/apparmor/abstractions/start-container
  19 +++ b/config/apparmor/abstractions/start-container
  20 @@ -40,5 +40,6 @@
  21    pivot_root /usr/lib*/*/lxc/**,
  22
  23    change_profile -> lxc-*,
  24 +  change_profile -> lxc-**,
  25    change_profile -> unconfined,
  26    change_profile -> :lxc-*:unconfined,
  27 --
  28 2.11.0
  29