From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH lxc] fix #7006: do not restrict proc or sys if nested
Date: Thu, 13 Nov 2025 14:08:01 +0100 [thread overview]
Message-ID: <20251113130914.789691-1-f.gruenbichler@proxmox.com> (raw)
if nesting is enabled, it is already possible to mount a fresh instance of
procfs and sysfs inside the container. protecting the original one does not
make much sense in such a scenario, the kernel already protects the bits that
are off-limits for unprivileged users anyway..
this fixes an issue with certain nested container setups, such as a recent
enough runc nested inside LXC.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
tested using the reproducer from BZ
...proc-and-sys-restrictions-if-nesting.patch | 71 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 72 insertions(+)
create mode 100644 debian/patches/apparmor/0003-apparmor-skip-proc-and-sys-restrictions-if-nesting.patch
diff --git a/debian/patches/apparmor/0003-apparmor-skip-proc-and-sys-restrictions-if-nesting.patch b/debian/patches/apparmor/0003-apparmor-skip-proc-and-sys-restrictions-if-nesting.patch
new file mode 100644
index 0000000..44b9454
--- /dev/null
+++ b/debian/patches/apparmor/0003-apparmor-skip-proc-and-sys-restrictions-if-nesting.patch
@@ -0,0 +1,71 @@
+From 33b101104ea750cc7bb723fa3715fb42cd177645 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
+Date: Thu, 13 Nov 2025 13:25:04 +0100
+Subject: [PATCH] apparmor: skip /proc and /sys restrictions if nesting is
+ enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+if nesting is enabled, it's already possible to mount your own instance of both
+/proc and /sys inside the container, so protecting the "original" one makes no
+sense, but breaks certain nested container setups.
+
+See: https://github.com/lxc/incus/pull/2624/commits/1fbe4bffb9748cc3b07aaf5db310d463c1e827d0
+Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=7006
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ src/lxc/lsm/apparmor.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
+index d6516ae9f..e9d494f1e 100644
+--- a/src/lxc/lsm/apparmor.c
++++ b/src/lxc/lsm/apparmor.c
+@@ -170,6 +170,9 @@ static const char AA_PROFILE_BASE[] =
+ " mount options=(rw,move) /s[^y]*{,/**},\n"
+ " mount options=(rw,move) /sy[^s]*{,/**},\n"
+ " mount options=(rw,move) /sys?*{,/**},\n"
++"\n";
++
++static const char AA_PROFILE_BASE_NO_NESTING[] =
+ "\n"
+ " # generated by: lxc-generate-aa-rules.py container-rules.base\n"
+ " deny /proc/sys/[^kn]*{,/**} wklx,\n"
+@@ -755,6 +758,10 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
+ must_append_sized(&profile, &size, AA_PROFILE_BASE,
+ STRARRAYLEN(AA_PROFILE_BASE));
+
++ if (!conf->lsm_aa_allow_nesting)
++ must_append_sized(&profile, &size, AA_PROFILE_BASE_NO_NESTING,
++ STRARRAYLEN(AA_PROFILE_BASE_NO_NESTING));
++
+ append_all_remount_rules(&profile, &size);
+
+ if (ops->aa_supports_unix)
+@@ -768,8 +775,10 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
+ if (ops->aa_can_stack && !ops->aa_is_stacked) {
+ char *namespace, *temp;
+
+- must_append_sized(&profile, &size, AA_PROFILE_STACKING_BASE,
+- STRARRAYLEN(AA_PROFILE_STACKING_BASE));
++
++ if (!conf->lsm_aa_allow_nesting)
++ must_append_sized(&profile, &size, AA_PROFILE_STACKING_BASE,
++ STRARRAYLEN(AA_PROFILE_STACKING_BASE));
+
+ namespace = apparmor_namespace(conf->name, lxcpath);
+ temp = must_concat(NULL, " change_profile -> \":", namespace, ":*\",\n"
+@@ -779,7 +788,7 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
+
+ must_append_sized(&profile, &size, temp, strlen(temp));
+ free(temp);
+- } else {
++ } else if (!conf->lsm_aa_allow_nesting) {
+ must_append_sized(&profile, &size, AA_PROFILE_NO_STACKING,
+ STRARRAYLEN(AA_PROFILE_NO_STACKING));
+ }
+--
+2.47.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 5f3f0b6..a2f2ad4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,5 @@
apparmor/0001-apparmor-allow-lxc-start-to-create-user-namespaces.patch
apparmor/0002-apparmor-use-abi-directive-in-apparmor-profiles.patch
+apparmor/0003-apparmor-skip-proc-and-sys-restrictions-if-nesting.patch
pve/0001-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0002-PVE-Config-attach-always-use-getent.patch
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next reply other threads:[~2025-11-13 13:08 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 13:08 Fabian Grünbichler [this message]
2025-11-13 19:23 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251113130914.789691-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.