# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-openstack flags=(attach_disconnected,mediate_deleted) { #include # allow standard blockdevtypes. # The concern here is in-kernel superblock parsers bringing down the # host with bad data. However, we continue to disallow proc, sys, securityfs, # etc to nonstandard locations. mount fstype=ext* -> /**, mount fstype=nbd* -> /**, mount fstype=xfs -> /**, mount fstype=btrfs -> /**, mount fstype=vfat* -> /**, mount fstype=fuseblk -> /**, mount fstype=nbd* -> /**, mount fstype=nfs* -> /**, mount fstype=rpc_pipefs, mount fstype=devpts, # allow System access. mount fstype=cgroup -> /sys/fs/cgroup/**, mount fstype=cgroup2 -> /sys/fs/cgroup/**, mount fstype=proc -> {{ lxc_container_cache_path }}/**, mount fstype=sysfs -> {{ lxc_container_cache_path }}/**, mount options=(rw,remount), mount options=(rw,bind) {{ lxc_container_cache_path }}/**/dev/shm/ -> {{ lxc_container_cache_path }}/**/run/shm/, }