apparmor: Allow ro remount of boot_id

The rule added in 863845075d did not cover all necessary mount calls for /proc/sys/kernel/random/boot_id (in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing. Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
2025-08-06 19:21:34 +00:00 · 2020-07-22 12:17:24 +02:00 · 2020-07-22 12:17:24 +02:00 · 3646e8acef
commit 3646e8acef
parent 66c08be391
1 changed files with 1 additions and 0 deletions
--- a/config/apparmor/abstractions/start-container.in
+++ b/config/apparmor/abstractions/start-container.in
@ -22,6 +22,7 @@
  mount -> /var/lib/lxc/{**,},

  mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
+  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,

  # required for some pre-mount hooks
  mount fstype=overlayfs,