I’m trying to limit php-fpm binary running inside lxc container, and i don’t want to change lxc.apparmor.profile to unconfined due to the security issues.
in generated mode when trying to enforce profile in lxc container i get this error
Permission denied; attempted to load a profile while confined?
is there anyway to enforce apparmor profile from lxc host to php-fpm running inside container?
base on config manual, there is an option (lxc.apparmor.raw) to append profile with generated mode, but i don’t know how to use it.
additional info: lxc-host: debian-bullseye and lxc-container: debian-bullseye (privileged), lxc installed from official debian repository.