From b89ed0a8e6cb48016f5dac68100e4f47003aeb62 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Thu, 13 Nov 2025 13:25:04 +0100 Subject: [PATCH] apparmor: skip /proc and /sys restrictions if nesting is enabled MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If nesting is enabled, it's already possible to mount your own instance of both procfs and sysfs inside the container, so protecting the "original" ones at /proc and /sys makes no sense, but breaks certain nested container setups. See: https://github.com/lxc/incus/pull/2624/commits/1fbe4bffb9748cc3b07aaf5db310d463c1e827d0 Signed-off-by: Fabian Grünbichler Signed-off-by: Thomas Lamprecht --- src/lxc/lsm/apparmor.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c index d6516ae9f..9f31840ff 100644 --- a/src/lxc/lsm/apparmor.c +++ b/src/lxc/lsm/apparmor.c @@ -170,6 +170,9 @@ static const char AA_PROFILE_BASE[] = " mount options=(rw,move) /s[^y]*{,/**},\n" " mount options=(rw,move) /sy[^s]*{,/**},\n" " mount options=(rw,move) /sys?*{,/**},\n" +"\n"; + +static const char AA_PROFILE_BASE_NO_NESTING[] = "\n" " # generated by: lxc-generate-aa-rules.py container-rules.base\n" " deny /proc/sys/[^kn]*{,/**} wklx,\n" @@ -755,6 +758,10 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf * must_append_sized(&profile, &size, AA_PROFILE_BASE, STRARRAYLEN(AA_PROFILE_BASE)); + if (!conf->lsm_aa_allow_nesting) + must_append_sized(&profile, &size, AA_PROFILE_BASE_NO_NESTING, + STRARRAYLEN(AA_PROFILE_BASE_NO_NESTING)); + append_all_remount_rules(&profile, &size); if (ops->aa_supports_unix) @@ -768,8 +775,10 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf * if (ops->aa_can_stack && !ops->aa_is_stacked) { char *namespace, *temp; - must_append_sized(&profile, &size, AA_PROFILE_STACKING_BASE, - STRARRAYLEN(AA_PROFILE_STACKING_BASE)); + + if (!conf->lsm_aa_allow_nesting) + must_append_sized(&profile, &size, AA_PROFILE_STACKING_BASE, + STRARRAYLEN(AA_PROFILE_STACKING_BASE)); namespace = apparmor_namespace(conf->name, lxcpath); temp = must_concat(NULL, " change_profile -> \":", namespace, ":*\",\n" @@ -779,7 +788,7 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf * must_append_sized(&profile, &size, temp, strlen(temp)); free(temp); - } else { + } else if (!conf->lsm_aa_allow_nesting) { must_append_sized(&profile, &size, AA_PROFILE_NO_STACKING, STRARRAYLEN(AA_PROFILE_NO_STACKING)); } -- 2.47.3