# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-cdrom flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,

  # allow standard blockdevtypes.
  # The concern here is in-kernel superblock parsers bringing down the
  # host with bad data.  However, we continue to disallow proc, sys, securityfs,
  # etc to nonstandard locations.
  mount fstype=iso9660,

  # Enable systemd cgroup mount in container
  mount fstype=cgroup -> /sys/fs/cgroup/**,
}
