CC'ing AppArmor experts to get their input :) This is a farily big hammer, but unfortunately I don't think it's possible to tell AppArmor "let the driver use umount, but only if it's running inside a namespace". Andrea Bolognani (1): apparmor: Allow umount(/dev) src/security/apparmor/usr.sbin.libvirtd.in | 1 + src/security/apparmor/usr.sbin.virtqemud.in | 1 + 2 files changed, 2 insertions(+) -- 2.39.0
