From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date: Thu, 13 Nov 2025 12:25:04 +0000 (+0100)
Subject: apparmor: skip /proc and /sys restrictions if nesting is enabled
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F4609%2Fhead;p=thirdparty%2Flxc.git

apparmor: skip /proc and /sys restrictions if nesting is enabled

If nesting is enabled, it's already possible to mount your own
instance of both procfs and sysfs inside the container, so protecting
the "original" ones at /proc and /sys makes no sense, but breaks
certain nested container setups.

See: https://github.com/lxc/incus/pull/2624/commits/1fbe4bffb9748cc3b07aaf5db310d463c1e827d0

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index d6516ae9f..9f31840ff 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -170,6 +170,9 @@ static const char AA_PROFILE_BASE[] =
 "  mount options=(rw,move) /s[^y]*{,/**},\n"
 "  mount options=(rw,move) /sy[^s]*{,/**},\n"
 "  mount options=(rw,move) /sys?*{,/**},\n"
+"\n";
+
+static const char AA_PROFILE_BASE_NO_NESTING[] =
 "\n"
 "  # generated by: lxc-generate-aa-rules.py container-rules.base\n"
 "  deny /proc/sys/[^kn]*{,/**} wklx,\n"
@@ -755,6 +758,10 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
 	must_append_sized(&profile, &size, AA_PROFILE_BASE,
 	                  STRARRAYLEN(AA_PROFILE_BASE));
 
+	if (!conf->lsm_aa_allow_nesting)
+		must_append_sized(&profile, &size, AA_PROFILE_BASE_NO_NESTING,
+		                  STRARRAYLEN(AA_PROFILE_BASE_NO_NESTING));
+
 	append_all_remount_rules(&profile, &size);
 
 	if (ops->aa_supports_unix)
@@ -768,8 +775,10 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
 	if (ops->aa_can_stack && !ops->aa_is_stacked) {
 		char *namespace, *temp;
 
-		must_append_sized(&profile, &size, AA_PROFILE_STACKING_BASE,
-		                  STRARRAYLEN(AA_PROFILE_STACKING_BASE));
+
+		if (!conf->lsm_aa_allow_nesting)
+			must_append_sized(&profile, &size, AA_PROFILE_STACKING_BASE,
+			                  STRARRAYLEN(AA_PROFILE_STACKING_BASE));
 
 		namespace = apparmor_namespace(conf->name, lxcpath);
 		temp = must_concat(NULL, "  change_profile -> \":", namespace, ":*\",\n"
@@ -779,7 +788,7 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
 
 		must_append_sized(&profile, &size, temp, strlen(temp));
 		free(temp);
-	} else {
+	} else if (!conf->lsm_aa_allow_nesting) {
 		must_append_sized(&profile, &size, AA_PROFILE_NO_STACKING,
 		                  STRARRAYLEN(AA_PROFILE_NO_STACKING));
 	}