[pve-devel] [PATCH container] fix #6573: allow userns creation when nesting is enabled

* [pve-devel] [PATCH container] fix #6573: allow userns creation when nesting is enabled
@ 2025-07-30  6:58 Wolfgang Bumiller
  2025-07-30 11:40 ` Thomas Lamprecht
  0 siblings, 1 reply; 2+ messages in thread
From: Wolfgang Bumiller @ 2025-07-30  6:58 UTC (permalink / raw)
  To: pve-devel

This is another difference with the apparmor 4.0 userspace. We need to
explicitly enable user namespaces in the generated profile - at least
when nesting is enabled.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/LXC.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 741bb33..b922ba1 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -595,6 +595,7 @@ sub make_apparmor_config {
 
     # We use abi/4.0 which has its own mqueue class which governs access to /dev/mqueue now.
     # This is currently not default in lxc's profile, so we enable it explicitly.
+    # FIXME: once lxc's profiles are based on abi/4.0 this should not be required.
     $raw .= "lxc.apparmor.raw = allow mqueue,\n";
 
     my @profile_uses;
@@ -612,6 +613,8 @@ sub make_apparmor_config {
     if ($features->{nesting}) {
         push @profile_uses, 'features:nesting';
         $raw .= "lxc.apparmor.allow_nesting = 1\n";
+        # FIXME: once lxc's profiles are based on abi/4.0 this should not be required.
+        $raw .= "lxc.apparmor.raw = allow userns,\n";
     } else {
         # In the default profile in /etc/apparmor.d we patch this in because
         # otherwise a container can for example run `chown` on /sys, breaking
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 2+ messages in thread