apparmor: Allow cgroup v2 mounts
Previously, only the v1 of the cgroup fs was being allowed by AppArmor and this were causing problems like the following one audit: type=1400 audit(1540571957.300:196): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/fs/cgroup/unified/" pid=26738 comm="systemd" fstype="cgroup2" srcname="cgroup" flags="rw, nosuid, nodev, noexec" Change-Id: I7f6ac8af0bc1c7d9844ee0c3505b65894d3b7aa1
This commit is contained in:
parent
c68d1a060b
commit
3cdfd8c531
@ -21,6 +21,7 @@ profile lxc-openstack flags=(attach_disconnected,mediate_deleted) {
|
|||||||
|
|
||||||
# allow System access.
|
# allow System access.
|
||||||
mount fstype=cgroup -> /sys/fs/cgroup/**,
|
mount fstype=cgroup -> /sys/fs/cgroup/**,
|
||||||
|
mount fstype=cgroup2 -> /sys/fs/cgroup/**,
|
||||||
mount fstype=proc -> {{ lxc_container_cache_path }}/**,
|
mount fstype=proc -> {{ lxc_container_cache_path }}/**,
|
||||||
mount fstype=sysfs -> {{ lxc_container_cache_path }}/**,
|
mount fstype=sysfs -> {{ lxc_container_cache_path }}/**,
|
||||||
mount options=(rw,bind) {{ lxc_container_cache_path }}/**/dev/shm/ -> {{ lxc_container_cache_path }}/**/run/shm/,
|
mount options=(rw,bind) {{ lxc_container_cache_path }}/**/dev/shm/ -> {{ lxc_container_cache_path }}/**/run/shm/,
|
||||||
|
Loading…
Reference in New Issue
Block a user