Cross Reference: /lxc/config/apparmor/abstractions/start-container

8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  network,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  capability,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  file,
2a31251cc5f428f96ee3d322a78556310a681e14Stéphane Graber
2a31251cc5f428f96ee3d322a78556310a681e14Stéphane Graber  # The following 3 entries are only supported by recent apparmor versions.
2a31251cc5f428f96ee3d322a78556310a681e14Stéphane Graber  # Comment them if the apparmor parser doesn't recognize them.
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  dbus,
2a31251cc5f428f96ee3d322a78556310a681e14Stéphane Graber  signal,
2a31251cc5f428f96ee3d322a78556310a681e14Stéphane Graber  ptrace,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  # currently blocked by apparmor bug
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  mount -> /usr/lib/*/lxc/{**,},
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  mount -> /usr/lib/lxc/{**,},
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  mount fstype=devpts -> /dev/pts/,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
1b0c17462ad4f9a05ea6e5ced5e444152ec7a193Serge Hallyn  mount options=bind /dev/pts/** -> /dev/**,
64b4c7a34b5c0407f3bcddc83f7c061dadb583bbMartin Pitt  mount options=(rw, make-slave) -> **,
05352fc9304f465b9322e22d19f62641d82dc6adWolfgang Bumiller  mount options=(rw, make-rslave) -> **,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  mount fstype=debugfs,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  mount -> /var/lib/lxc/{**,},
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  # required for some pre-mount hooks (like the new lxc-start-ephemeral)
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  mount fstype=overlayfs,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  mount fstype=aufs,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  mount fstype=ecryptfs,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  # all umounts are under the original root's /mnt, but right now we
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  # can't allow those umounts after pivot_root.  So allow all umounts
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  # right now.  They'll be restricted for the container at least.
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  umount,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  #umount /mnt/{**,},
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber
524505b9714beac89f4952296cefa9f997168b98Stéphane Graber  # This may look a bit redundant, however it appears we need all of
524505b9714beac89f4952296cefa9f997168b98Stéphane Graber  # them if we want things to work properly on all combinations of kernel
524505b9714beac89f4952296cefa9f997168b98Stéphane Graber  # and userspace parser...
524505b9714beac89f4952296cefa9f997168b98Stéphane Graber  pivot_root /usr/lib/lxc/,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  pivot_root /usr/lib/*/lxc/,
524505b9714beac89f4952296cefa9f997168b98Stéphane Graber  pivot_root /usr/lib/lxc/**,
524505b9714beac89f4952296cefa9f997168b98Stéphane Graber  pivot_root /usr/lib/*/lxc/**,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  change_profile -> lxc-*,
8da250dad4b11c4983031742a83fb8f358044fe0Stéphane Graber  change_profile -> unconfined,