apparmor profile to allow netns handling inside LXCs

lxc-default-with-netns

# /etc/apparmor.d/lxc/lxc-default-with-netns
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-netns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>


  # - onetime mount, if /run/netns was not mounted yet:
  #   strace: mount("", "/var/run/netns", "none", MS_REC|MS_SHARED, NULL) = 0
  # fwiw fstype=none doesn't match, protect by denying mount with /dev argument
  deny mount options=(rw, make-rshared) /** -> /run/netns/,
  mount options=(rw, make-rshared) -> /run/netns/,
  #   strace: mount("/var/run/netns", "/var/run/netns", 0x43981d, MS_BIND, NULL) = 0
  mount options=(rw, bind) /run/netns/ -> /run/netns/,

  # - one mount per each netns: ip netns add foo:
  #   strace: mount("/proc/self/ns/net", "/var/run/netns/foo", 0x43981d, MS_BIND, NULL) = 0
  mount options=(rw, bind) @{PROC} -> /run/netns/**,
  # kernel 4.2 doesn't match above, needs this one:
  mount options=(rw, bind) / -> /run/netns/**,

  # - used by: ip netns exec foo ...: 
  #   strace: mount("", "/", "none", MS_REC|MS_SLAVE, NULL) = 0
  # fwiw fstype=none doesn't match, protect by denying mount with /dev argument
  deny mount options=(rw, make-rslave) /** -> /,
  mount options=(rw, make-rslave) -> /,
}

Tested this aa profile with:
#1 create netns inside foo LXC, run cmd inside its netns

lxc-attach -n foo
ip netns add bar
ip netns exec bar ip a
#2 LXC'd openstack neutron-gateways deployed by

juju, requires hacking host's LXC templates to allow multinic
LXCs.

Nice. Would you mind submitting a patch to upstream lxc adding this as one of the sample profiles?