/etc/apparmor.d/usr.bin.lxc-start is in lxc 0.7.5-3ubuntu52.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | #include <tunables/global>
/usr/bin/lxc-start flags=(attach_disconnected) {
network,
capability,
file,
# FIXME: should be: mount /** -> /usr/lib/lxc/root/**
# currently blocked by apparmor bug
mount -> /usr/lib/lxc/root/{**,},
mount fstype=devpts -> /dev/pts/,
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
mount fstype=debugfs,
# all umounts are under the original root's /mnt, but right now we
# can't allow those umounts after pivot_root. So allow all umounts
# right now. They'll be restricted for the container at least.
umount,
#umount /mnt/{**,},
# FIXME: should be: pivot_root /usr/lib/lxc/root/
# requires >= 3.2.0-19
pivot_root,
change_profile -> lxc-*,
change_profile -> unconfined,
}
|