From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sejpalkalpesh@gmail.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 77708918FF
 for <pve-user@lists.proxmox.com>; Fri,  9 Sep 2022 12:59:45 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 59F3525D06
 for <pve-user@lists.proxmox.com>; Fri,  9 Sep 2022 12:59:15 +0200 (CEST)
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com
 [IPv6:2607:f8b0:4864:20::112e])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-user@lists.proxmox.com>; Fri,  9 Sep 2022 12:59:14 +0200 (CEST)
Received: by mail-yw1-x112e.google.com with SMTP id
 00721157ae682-3378303138bso14397097b3.9
 for <pve-user@lists.proxmox.com>; Fri, 09 Sep 2022 03:59:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date; bh=ltX3U9NcleviU1NPeFH/Xr9q+GciJDbbAcltvLrpjfw=;
 b=LCDoXAhS+iQuYFSq9kFpHfF0YhqisDlutEsIul13IPr3MxWu3ZdpVPRU9ZwaoThvtM
 HBTmNp+GKKEX8uLv+u2eyU7klTH4wZrFpUXgXy3ipTQTGcFzGrrGhqC2ccuYiZ4kloSO
 +cmGb9yWwG3kq9jHrI/XdYUo63hfm5zeCYQWpL4zXNF2Pvw9+ybpU8UlYg3MHnoEOxDC
 0SthaF+rgP4QGsSup+Vm/Z7v0N08zVRvkekNBHJaG1p3FtINgJAgkEIwVpE2h8+UyGTj
 3KgH0e5irHI7he0kxoCHHq6ifbrYWl1zZmFlVvQLWNx6aN4FxWe34k4R//+O8CTmI7Tv
 bCyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date;
 bh=ltX3U9NcleviU1NPeFH/Xr9q+GciJDbbAcltvLrpjfw=;
 b=rjIG4c80X+6jethe2ljw2uIH12exmlGsdIvHvkhVrlrlaoK9dJbUdTL7SCIbm/pUVK
 /PVhlBsnsI9z++bVyykGCVwkaL9q8lrNaU+2PCUj/GtRisSh21WJLdzajV+y8JC9+dWg
 U+ZYmFThD3tm0kgDXvZWs6xzplt1pzW0jeCcJqPMyvyJNKaj3TLBi1ZBzKh3EF74FdEE
 0Fw6XooCKvWtIIvcTvYbVEq+Jyl7g8qXiF3MAqveox8jvHZ7XMEoYrplpG0hluTiaQsH
 Rr1GXcLmNwh/7PJ6LlC7gimcxF6d+AsGh9QcM+pfUCTaAPDOryytMqSie5QbsVWkrd9Q
 QLcA==
X-Gm-Message-State: ACgBeo2eVF9jnNd4T/xD8+N6d6M6HEfom91QkjqeS2VfagEiyBDrCb1z
 wWzYiXygTWrf22inWi5Ov5lrLYhuU+HCdTBSpeDVKuZRxf8=
X-Google-Smtp-Source: AA6agR7DMxjzbMHSLatsRO/j+skfrjRjljlFHABMSYnSwzL0638cWrfaDpspOvFZeQX6pmrt/Iswn0iVElDqm++9h5M=
X-Received: by 2002:a0d:f007:0:b0:333:d0d1:96a with SMTP id
 z7-20020a0df007000000b00333d0d1096amr11387598ywe.350.1662721145394; Fri, 09
 Sep 2022 03:59:05 -0700 (PDT)
MIME-Version: 1.0
From: Kalpesh Sejpal <sejpalkalpesh@gmail.com>
Date: Fri, 9 Sep 2022 16:28:53 +0530
Message-ID: <CAPzRAJbmq2zwcxMipDTJpb8d-hEAcYD4zjieDnQ2YEkYEze=oQ@mail.gmail.com>
To: pve-user@lists.proxmox.com
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.130 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DKIM_SIGNED               0.1 Message has a DKIM or DK signature,
 not necessarily valid
 DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
 DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's
 domain
 DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from
 domain
 FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider
 HTML_MESSAGE            0.001 HTML included in message
 POISEN_SPAM_PILL_4        0.1 random spam to be learned in bayes
 RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/,
 no trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-Mailman-Approved-At: Mon, 12 Sep 2022 10:43:03 +0200
Subject: Re: [PVE-User] systemd-logind.service (Piviul)
X-BeenThere: pve-user@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE user list <pve-user.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-user>, 
 <mailto:pve-user-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-user/>
List-Post: <mailto:pve-user@lists.proxmox.com>
List-Help: <mailto:pve-user-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user>, 
 <mailto:pve-user-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2022 10:59:45 -0000

Hi Piviul,

Using it with unprivileged containers it doesn't have any security risks.

AppArmor profile for nesting flag is

# /etc/apparmor.d/lxc/lxc-default-cgns-with-nesting
profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>

  deny /dev/.lxc/proc/** rw,
  deny /dev/.lxc/sys/** rw,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=proc -> /var/cache/lxc/**,
  mount fstype=sysfs -> /var/cache/lxc/**,
  mount options=(rw,bind),
}

But with privileged contains with nesting Flag can modify sys/** and
proc/** of other containers, which can be disastrous.

Regards,
Kalpesh Sejpal

On Fri, 9 Sep, 2022, 3:30 pm , <pve-user-request@lists.proxmox.com> wrote:

> Send pve-user mailing list submissions to
>         pve-user@lists.proxmox.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> or, via email, send a message with subject or body 'help' to
>         pve-user-request@lists.proxmox.com
>
> You can reach the person managing the list at
>         pve-user-owner@lists.proxmox.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of pve-user digest..."
>
>
> Today's Topics:
>
>    1. Re: systemd-logind.service (Piviul)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 8 Sep 2022 11:58:51 +0200
> From: Piviul <piviul@riminilug.it>
> To: pve-user@lists.proxmox.com
> Subject: Re: [PVE-User] systemd-logind.service
> Message-ID: <b520b36f-a052-4356-285e-334bc3945a71@riminilug.it>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 05/09/22 12:27, Kalpesh Sejpal wrote:
> > Hi,
> >
> > It's better to enable features Flag nesting=1 for each LXC container with
> > that error.
> >
> > Please, check security conserns before changing it.
> >
> > If you can't do that then another alternative it to mask systemd-logind
> > service.
>
> Hi Kalpesh, thank you very much. In effect both solution seems to work.
> There are security risk to set nesting flag on unprivileged container?
>
> Piviul
>
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> pve-user mailing list
> pve-user@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
>
> ------------------------------
>
> End of pve-user Digest, Vol 174, Issue 4
> ****************************************
>
>