From 667cfb7c2d48e896a1c56f839d586fd936b19b9f Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 27 Jun 2016 16:20:00 -0400
Subject: [PATCH] AppArmor: add make-rslave to usr.bin.lxc-start

The profile already contains
  mount options=(rw, make-slave) -> **,

Which allows going through all mountpoints with make-slave,
so it seems to make sense to also allow the directly
recursive variant with "make-rslave".

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
 config/apparmor/abstractions/start-container | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
index b06a84d3b..eee0c2f2b 100644
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -15,6 +15,7 @@
   mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
   mount options=bind /dev/pts/** -> /dev/**,
   mount options=(rw, make-slave) -> **,
+  mount options=(rw, make-rslave) -> **,
   mount fstype=debugfs,
   # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
   mount -> /var/lib/lxc/{**,},