1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
userns,
network,
capability,
file,
# The following 3 entries are only supported by recent apparmor versions.
# Comment them if the apparmor parser doesn't recognize them.
dbus,
signal,
ptrace,
# currently blocked by apparmor bug
mount -> /usr/lib*/*/lxc/{**,},
mount -> /usr/lib*/lxc/{**,},
mount -> @LXCROOTFSMOUNT@/{,**},
mount fstype=devpts -> /dev/pts/,
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
mount options=bind /dev/pts/** -> /dev/**,
mount options=(rw, make-slave) -> /{,**},
mount options=(rw, make-rslave) -> /{,**},
mount options=(rw, make-shared) -> /{,**},
mount options=(rw, make-rshared) -> /{,**},
mount fstype=debugfs,
mount fstype=fuse.*,
# allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
mount -> /var/lib/lxc/{**,},
mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
# required for some pre-mount hooks
mount fstype=overlayfs,
mount fstype=aufs,
mount fstype=ecryptfs,
# all umounts are under the original root's /mnt, but right now we
# can't allow those umounts after pivot_root. So allow all umounts
# right now. They'll be restricted for the container at least.
umount,
#umount /mnt/{**,},
# This may look a bit redundant, however it appears we need all of
# them if we want things to work properly on all combinations of kernel
# and userspace parser...
pivot_root /usr/lib*/lxc/,
pivot_root /usr/lib*/*/lxc/,
pivot_root /usr/lib*/lxc/**,
pivot_root /usr/lib*/*/lxc/**,
pivot_root @LXCROOTFSMOUNT@/{,**},
change_profile -> lxc-*,
change_profile -> lxc-**,
change_profile -> unconfined,
change_profile -> :lxc-*:unconfined,
|
