I've attached a patch against the 2.9 branch that's working for me. I'm allowing rbind as well as bind because that's the part of the actual call that caused me to discover this. It looks like an equivalent change could be made against master as well:
http://bazaar.launchpad.net/~apparmor- dev/apparmor/master/view/head:/parser/mount.h#L106 Should I submit it to the mailing list, too? ** Patch added: "PATCH.patch" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1272028/+attachment/4457487/+files/PATCH.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1272028 Title: remount, not honored on bind mounts Status in apparmor package in Ubuntu: Expired Status in apparmor source package in Precise: Expired Status in apparmor source package in Trusty: Expired Status in apparmor source package in Utopic: Expired Bug description: I was trying to run docker in a nested container. docker wants to remount a bind-mounted dir as ro. Audit log showed this failed. I first tried to add more specific rules, but when those did not work i tried just remount, in the policy. Still the mount was denied. Finally when I added 'mount,', it worked. Ideally I would be able to say remount options=(ro,bind) -> /var/lib/docker/**/, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1272028/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
