I don't know if it “legal” to send the email here ：） ================ I am playing with libvirt 1.1.1 (lxc) when I was starting a LXC container, the process location of cgroup is pretty , just the root directory from the process. But I could tune the cgroup in a container as an user that logged, This is not accepted... I wonder how to restrict it with apparmor ,so one can not modify files in the cgroup fs, e.g the cpus or mem, if i restrict it with "deny /sys/fs/cgroup/** wrklx," in apparmor ,the container woulld not start up . "Permission denied", because that a process would mount the cgroup, it seems done by libvirt_lxc, Any way to restrict the cgroup in the container or just not mount cgroup in the container ?? Any help would be appreciated, thanks . ------------------ 止语