diff -Nru lxc-0.7.5/debian/changelog lxc-0.7.5/debian/changelog
--- lxc-0.7.5/debian/changelog	2012-01-27 17:13:54.000000000 +0000
+++ lxc-0.7.5/debian/changelog	2012-01-27 19:47:19.000000000 +0000
@@ -1,3 +1,12 @@
+lxc (0.7.5-3ubuntu15) precise; urgency=low
+
+  * 0032-refuse-console.patch: don't allow access to 5:0, which is the
+    host's /dev/console.
+  * debian/lxc.apparmor, debian/rules: install an apparmor profile for
+    lxc-start.
+
+ -- Serge Hallyn <serge.hallyn@ubuntu.com>  Fri, 27 Jan 2012 13:46:59 -0600
+
 lxc (0.7.5-3ubuntu14) precise; urgency=low
 
   * debian/control: add btrfs-tools to lxc Suggests (LP: #942241)
diff -Nru lxc-0.7.5/debian/lxc.apparmor lxc-0.7.5/debian/lxc.apparmor
--- lxc-0.7.5/debian/lxc.apparmor	1970-01-01 00:00:00.000000000 +0000
+++ lxc-0.7.5/debian/lxc.apparmor	2012-01-27 19:45:32.000000000 +0000
@@ -0,0 +1,96 @@
+#include <tunables/global>
+
+/usr/bin/lxc-start flags=(attach_disconnected) {
+  network,
+
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability setgid,
+  capability setuid,
+  capability setpcap,
+  capability linux_immutable,
+  capability net_bind_service,
+  capability net_broadcast,
+  capability net_admin,
+  capability net_raw,
+  capability ipc_lock,
+  capability ipc_owner,
+  capability sys_module,
+  capability sys_rawio,
+  capability sys_chroot,
+  capability sys_ptrace,
+  capability sys_pacct,
+  capability sys_admin,
+  capability sys_boot,
+  capability sys_nice,
+  capability sys_resource,
+  capability sys_time,
+  capability sys_tty_config,
+  capability mknod,
+  capability lease,
+  capability audit_write,
+  capability audit_control,
+  capability setfcap,
+  capability mac_override,
+  capability mac_admin,
+  capability syslog,
+
+  / rwklix,
+  /** rwklix,
+
+  /sbin/init cx -> lxc_container,
+
+  profile lxc_container flags=(attach_disconnected) {
+	  network,
+
+	  capability chown,
+	  capability dac_override,
+	  capability dac_read_search,
+	  capability fowner,
+	  capability fsetid,
+	  capability kill,
+	  capability setgid,
+	  capability setuid,
+	  capability setpcap,
+	  capability linux_immutable,
+	  capability net_bind_service,
+	  capability net_broadcast,
+	  capability net_admin,
+	  capability net_raw,
+	  capability ipc_lock,
+	  capability ipc_owner,
+	  capability sys_module,
+	  capability sys_rawio,
+	  capability sys_chroot,
+	  capability sys_ptrace,
+	  capability sys_pacct,
+	  capability sys_admin,
+	  capability sys_boot,
+	  capability sys_nice,
+	  capability sys_resource,
+	  capability sys_time,
+	  capability sys_tty_config,
+	  capability mknod,
+	  capability lease,
+	  capability audit_write,
+	  capability audit_control,
+	  capability setfcap,
+	  capability mac_override,
+	  capability mac_admin,
+	  capability syslog,
+
+	  / rwklix,
+	  /** rwklix,
+	  deny @{PROC}/sysrq-trigger rwklx,
+	  deny @{PROC}/mem rwklx,
+	  deny @{PROC}/kmem rwklx,
+	  deny @{PROC}/sys/fs/** wklx,
+	  deny @{PROC}/sys/kernel/** wklx,
+	  deny /sys/** wklx,
+  }
+}
+
diff -Nru lxc-0.7.5/debian/patches/0032-refuse-console.patch lxc-0.7.5/debian/patches/0032-refuse-console.patch
--- lxc-0.7.5/debian/patches/0032-refuse-console.patch	1970-01-01 00:00:00.000000000 +0000
+++ lxc-0.7.5/debian/patches/0032-refuse-console.patch	2012-01-27 19:30:27.000000000 +0000
@@ -0,0 +1,19 @@
+Description: containers don't need access to 5:0
+ It's not their console, and it lets them mess with host's console
+ This will need to be forwarded upstream.
+Author: Serge Hallyn <serge.hallyn@ubuntu.com>
+Forwarded: no
+
+Index: lxc/templates/lxc-ubuntu.in
+===================================================================
+--- lxc.orig/templates/lxc-ubuntu.in	2012-01-27 13:28:56.534356000 -0600
++++ lxc/templates/lxc-ubuntu.in	2012-01-27 13:29:39.357648901 -0600
+@@ -246,7 +246,7 @@
+ lxc.cgroup.devices.allow = c 1:5 rwm
+ # consoles
+ lxc.cgroup.devices.allow = c 5:1 rwm
+-lxc.cgroup.devices.allow = c 5:0 rwm
++#lxc.cgroup.devices.allow = c 5:0 rwm
+ #lxc.cgroup.devices.allow = c 4:0 rwm
+ #lxc.cgroup.devices.allow = c 4:1 rwm
+ # /dev/{,u}random
diff -Nru lxc-0.7.5/debian/patches/series lxc-0.7.5/debian/patches/series
--- lxc-0.7.5/debian/patches/series	2012-01-27 16:45:24.000000000 +0000
+++ lxc-0.7.5/debian/patches/series	2012-01-27 19:29:27.000000000 +0000
@@ -42,3 +42,4 @@
 0029-btrfs-clone-support.patch
 0030-ubuntu-template-fail.patch
 0031-ubuntu-template-resolvconf.patch
+0032-refuse-console.patch
diff -Nru lxc-0.7.5/debian/rules lxc-0.7.5/debian/rules
--- lxc-0.7.5/debian/rules	2012-01-27 15:33:18.000000000 +0000
+++ lxc-0.7.5/debian/rules	2012-01-27 19:55:56.000000000 +0000
@@ -7,6 +7,11 @@
 	dh_auto_configure -- --libdir=\$${prefix}/lib/lxc --with-rootfs-path=\$${prefix}/lib/lxc/root --enable-doc
 
 override_dh_install:
+	mkdir -p debian/lxc/etc/apparmor.d
+	cp debian/lxc.apparmor debian/lxc/etc/apparmor.d/usr.bin.lxc-start
+	if [ -x /usr/bin/dh_apparmor ]; then \
+		dh_apparmor --profile-name=usr.bin.lxc-start; \
+	fi
 	dh_install --fail-missing
 
 	# removing useless files