Index: libvirt-1.2.17/examples/apparmor/libvirt-lxc =================================================================== --- libvirt-1.2.17.orig/examples/apparmor/libvirt-lxc +++ libvirt-1.2.17/examples/apparmor/libvirt-lxc @@ -2,39 +2,15 @@ #include - umount, - - # ignore DENIED message on / remount - deny mount options=(ro, remount) -> /, - - # allow tmpfs mounts everywhere - mount fstype=tmpfs, - - # allow mqueue mounts everywhere - mount fstype=mqueue, - - # allow fuse mounts everywhere - mount fstype=fuse.*, - - # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted - mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, + # deny writes in /proc/sys/fs deny @{PROC}/sys/fs/** wklx, - # allow efivars to be mounted, writing to it will be blocked though - mount fstype=efivarfs -> /sys/firmware/efi/efivars/, - # block some other dangerous paths deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, - # deny writes in /sys except for /sys/fs/cgroup, also allow - # fusectl, securityfs and debugfs to be mounted there (read-only) - mount fstype=fusectl -> /sys/fs/fuse/connections/, - mount fstype=securityfs -> /sys/kernel/security/, - mount fstype=debugfs -> /sys/kernel/debug/, - mount fstype=proc -> /proc/, - mount fstype=sysfs -> /sys/, + # deny writes in /sys deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx,