Fix installation of out-of-tree (VPATH) builds Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>

add lxc-default-cgns profile This isn't safe for privileged containers which do not use cgroup namespaces, but is required for systemd containers with cgroup namespaces. So create a new profile for it which lxc will use as the default when it knows it can. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

apparmor: auto-generate the blacklist rules This uses the generate-apparmor-rules.py script I sent out some time ago to auto-generate apparmor rules based on a higher level set of block/allow rules. Add apparmor policy testcase to make sure that some of the paths we expect to be denied (and allowed) write access to are in fact in effect in the final policy. With this policy, libvirt in a container is able to start its default network, which previously it could not. v2: address feedback from stgraber put lxc-generate-aa-rules.py into EXTRA_DIST add lxc-test-apparmor, container-base and container-rules to .gitignore take lxc-test-apparmor out of EXTRA_DIST make lxc-generate-aa-rules.py pep8-compliant don't automatically generate apparmor rules This is only bc we can't be guaranteed that python3 will be available. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: Add profiles Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>