Please sign in to comment.
attach: handle apparmor transitions in !NEWNS cases
If we're not attaching to the mount ns , then don't enter the container's apparmor policy. Since we're running binaries from the host and not the container, that actually seems the sane thing to do (besides also the lazier thing). If we dont' do this patch, then we will need to move the apparmor attach past the procfs remount, will need to also mount securityfs if available, and for the !remount_proc_sys case we'll want to mount those just long enough to do the apparmor transition. Signed-off-by: Serge Hallyn <email@example.com> Acked-by: Stéphane Graber <firstname.lastname@example.org>
- Loading branch information...