From 7a126ae1f20ad6089f9c39ef3965fcfe3fa498b6 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Sun, 21 Feb 2016 20:46:58 -0800
Subject: [PATCH] lxc.container.conf / apparmor : document cgns profile

Also document 'unchanged' which we had never documented before.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
 doc/lxc.container.conf.sgml.in | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 90d9af5e0..69dd09a1b 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1169,7 +1169,9 @@ proc proc proc nodev,noexec,nosuid 0 0
         If lxc was compiled and installed with apparmor support, and the host
         system has apparmor enabled, then the apparmor profile under which the
         container should be run can be specified in the container
-        configuration.  The default is <command>lxc-container-default</command>.
+        configuration.  The default is <command>lxc-container-default-cgns</command>
+	if the host kernel is cgroup namespace aware, or
+	<command>lxc-container-default</command> othewise.
       </para>
       <variablelist>
         <varlistentry>
@@ -1183,6 +1185,11 @@ proc proc proc nodev,noexec,nosuid 0 0
               use
             </para>
               <programlisting>lxc.aa_profile = unconfined</programlisting>
+            <para>
+              If the apparmor profile should remain unchanged (i.e. if you
+	      are nesting containers and are already confined), then use
+            </para>
+              <programlisting>lxc.aa_profile = unchanged</programlisting>
           </listitem>
         </varlistentry>
         <varlistentry>