]> git.ipfire.org Git - thirdparty/lxc.git/commit
projects / thirdparty / lxc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8dd8072) | patch
apparmor: skip /proc and /sys restrictions if nesting is enabled 4609/head
authorFabian Grünbichler <f.gruenbichler@proxmox.com>
Thu, 13 Nov 2025 12:25:04 +0000 (13:25 +0100)
committerThomas Lamprecht <t.lamprecht@proxmox.com>
Thu, 20 Nov 2025 15:57:31 +0000 (16:57 +0100)
commitb89ed0a8e6cb48016f5dac68100e4f47003aeb62
treea4cb67174636982bed50870923b7332b08a0b3ebtree | snapshot
parent8dd8072db77edaaf793519dc75a4c089db1c023bcommit | diff
apparmor: skip /proc and /sys restrictions if nesting is enabled

If nesting is enabled, it's already possible to mount your own
instance of both procfs and sysfs inside the container, so protecting
the "original" ones at /proc and /sys makes no sense, but breaks
certain nested container setups.

See: https://github.com/lxc/incus/pull/2624/commits/1fbe4bffb9748cc3b07aaf5db310d463c1e827d0

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
src/lxc/lsm/apparmor.c diff | blob | blame | history
Mirror of https://github.com/lxc/lxc.git