From 3cdfd8c5319b32ab155a4e4cbfd4c8bf805c5cdd Mon Sep 17 00:00:00 2001
From: Markos Chandras <mchandras@suse.de>
Date: Mon, 29 Oct 2018 10:22:32 +0000
Subject: [PATCH] apparmor: Allow cgroup v2 mounts

Previously, only the v1 of the cgroup fs was being allowed by AppArmor
and this were causing problems like the following one

 audit: type=1400 audit(1540571957.300:196): apparmor="DENIED"
 operation="mount" info="failed type match" error=-13
 profile="lxc-container-default-cgns" name="/sys/fs/cgroup/unified/"
 pid=26738 comm="systemd" fstype="cgroup2" srcname="cgroup" flags="rw,
 nosuid, nodev, noexec"

Change-Id: I7f6ac8af0bc1c7d9844ee0c3505b65894d3b7aa1
---
 templates/lxc-openstack.apparmor.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/lxc-openstack.apparmor.j2 b/templates/lxc-openstack.apparmor.j2
index 4356a996..bda9eab5 100644
--- a/templates/lxc-openstack.apparmor.j2
+++ b/templates/lxc-openstack.apparmor.j2
@@ -21,6 +21,7 @@ profile lxc-openstack flags=(attach_disconnected,mediate_deleted) {
 
 # allow System access.
   mount fstype=cgroup -> /sys/fs/cgroup/**,
+  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
   mount fstype=proc -> {{ lxc_container_cache_path }}/**,
   mount fstype=sysfs -> {{ lxc_container_cache_path }}/**,
   mount options=(rw,bind) {{ lxc_container_cache_path }}/**/dev/shm/ -> {{ lxc_container_cache_path }}/**/run/shm/,