apparmor: skip /proc and /sys restrictions if nesting is enabled

If nesting is enabled, it's already possible to mount your own
instance of both procfs and sysfs inside the container, so protecting
the "original" ones at /proc and /sys makes no sense, but breaks
certain nested container setups.

See: https://github.com/lxc/incus/pull/2624/commits/1fbe4bffb9748cc3b07aaf5db310d463c1e827d0

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index d6516ae9f5dbe54909801ae7e1dd156876b3ad12..9f31840ff74ce77ae3bb4ee44cb8cbea59efc127 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -170,6 +170,9 @@ static const char AA_PROFILE_BASE[] =
 "  mount options=(rw,move) /s[^y]*{,/**},\n"
 "  mount options=(rw,move) /sy[^s]*{,/**},\n"
 "  mount options=(rw,move) /sys?*{,/**},\n"
+"\n";
+
+static const char AA_PROFILE_BASE_NO_NESTING[] =
 "\n"
 "  # generated by: lxc-generate-aa-rules.py container-rules.base\n"
 "  deny /proc/sys/[^kn]*{,/**} wklx,\n"
@@ -755,6 +758,10 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
        must_append_sized(&profile, &size, AA_PROFILE_BASE,
                          STRARRAYLEN(AA_PROFILE_BASE));
 
+       if (!conf->lsm_aa_allow_nesting)
+               must_append_sized(&profile, &size, AA_PROFILE_BASE_NO_NESTING,
+                                 STRARRAYLEN(AA_PROFILE_BASE_NO_NESTING));
+
        append_all_remount_rules(&profile, &size);
 
        if (ops->aa_supports_unix)
@@ -768,8 +775,10 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
        if (ops->aa_can_stack && !ops->aa_is_stacked) {
                char *namespace, *temp;
 
-               must_append_sized(&profile, &size, AA_PROFILE_STACKING_BASE,
-                                 STRARRAYLEN(AA_PROFILE_STACKING_BASE));
+
+               if (!conf->lsm_aa_allow_nesting)
+                       must_append_sized(&profile, &size, AA_PROFILE_STACKING_BASE,
+                                         STRARRAYLEN(AA_PROFILE_STACKING_BASE));
 
                namespace = apparmor_namespace(conf->name, lxcpath);
                temp = must_concat(NULL, "  change_profile -> \":", namespace, ":*\",\n"
@@ -779,7 +788,7 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
 
                must_append_sized(&profile, &size, temp, strlen(temp));
                free(temp);
-       } else {
+       } else if (!conf->lsm_aa_allow_nesting) {
                must_append_sized(&profile, &size, AA_PROFILE_NO_STACKING,
                                  STRARRAYLEN(AA_PROFILE_NO_STACKING));
        }