mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-12 07:17:13 +01:00
13 lines
572 B
Text
13 lines
572 B
Text
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
|
|
# will source all profiles under /etc/apparmor.d/lxc
|
|
|
|
profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
|
|
include <abstractions/lxc/container-base>
|
|
|
|
# the container may never be allowed to mount devpts. If it does, it
|
|
# will remount the host's devpts. We could allow it to do it with
|
|
# the newinstance option (but, right now, we don't).
|
|
deny mount fstype=devpts,
|
|
mount fstype=cgroup -> /sys/fs/cgroup/**,
|
|
mount fstype=cgroup2 -> /sys/fs/cgroup/**,
|
|
}
|