So I came up with an alternate way around this which works for both privileged and unprivileged containers and doesn't require an updated apparmor. This uses seccomp to filter the umount2 call and return EACCES when passed MNT_FORCE as second argument.
Code is at: http://paste.ubuntu.com/9568741/ stgraber@castiana:~/Desktop$ gcc sec-mount.c -o sec-mount -lseccomp stgraber@castiana:~/Desktop$ cp sec-mount /tmp/ stgraber@castiana:~/Desktop$ lxc-usernsexec -- /tmp/sec-mount root@castiana:~/Desktop# mount --bind /home/stgraber/ /mnt root@castiana:~/Desktop# umount /mnt root@castiana:~/Desktop# mount --bind /home/stgraber/ /mnt root@castiana:~/Desktop# umount -f /mnt umount2: Permission denied umount: /mnt: block devices not permitted on fs root@castiana:~/Desktop# exit -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1402834 Title: fuse filesystems get disconnected on container exit Status in linux package in Ubuntu: Confirmed Bug description: When bind-mounting a directory from a fuse filesytems into a container, then when the container is shut down, the userspace process serving the fuse fs is terminated. The original fuse mountpoint remains busy until it is manually unmounted. I've tested this with sshfs, git://github.com/stgraber/cgmanagerfs, the bbfs example fs from http://www.cs.nmsu.edu/~pfeiffer/fuse-tutorial/, or git://github.com/lxc/lxcfs. To reproduce: Mount a fusefs - say sshfs - with -o allow_other, let's say onto /tmp/d. sshfs -f -d -o allow_other somehost:$HOME /tmp/d Bind that into a container by adding lxc.mount.entry = /tmp/d freezer none bind,create=dir 0 0 to the container's config. start the container, stop it. the fuse program stops (exits 0 in fact) the mount is not cleaned up - ls /tmp/d on the host henceforth complains: ls: cannot access /tmp/d Transport endpoint is not connected" (sudo umount /tmp/d cleans it up) I don't know for sure whether this is a kernel or libfuse bug. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1402834/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
