[lxc/lxc] b89ed0: apparmor: skip /proc and /sys restrictions if nest...
0 views
Skip to first unread message
Stéphane Graber
Nov 20, 2025, 3:00:51 PM (14 days ago) Nov 20
to lxc-...@lists.linuxcontainers.org
Branch: refs/heads/main
Home: https://github.com/lxc/lxc
Commit: b89ed0a8e6cb48016f5dac68100e4f47003aeb62
https://github.com/lxc/lxc/commit/b89ed0a8e6cb48016f5dac68100e4f47003aeb62
Author: Fabian Grünbichler <f.gruen...@proxmox.com>
Date: 2025-11-20 (Thu, 20 Nov 2025)
Changed paths:
M src/lxc/lsm/apparmor.c
Log Message:
-----------
apparmor: skip /proc and /sys restrictions if nesting is enabled
If nesting is enabled, it's already possible to mount your own
instance of both procfs and sysfs inside the container, so protecting
the "original" ones at /proc and /sys makes no sense, but breaks
certain nested container setups.
See: https://github.com/lxc/incus/pull/2624/commits/1fbe4bffb9748cc3b07aaf5db310d463c1e827d0
Signed-off-by: Fabian Grünbichler <f.gruen...@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lam...@proxmox.com>
Commit: f0889ea12f4d4adc4715dec89ebe754a69b750d2
https://github.com/lxc/lxc/commit/f0889ea12f4d4adc4715dec89ebe754a69b750d2
Author: Stéphane Graber <stgr...@stgraber.org>
Date: 2025-11-20 (Thu, 20 Nov 2025)
Changed paths:
M src/lxc/lsm/apparmor.c
Log Message:
-----------
Merge pull request #4609 from ThomasLamprecht/apparmor-no-proc-sys-restrictions-if-nested
apparmor: skip /proc and /sys restrictions if nesting is enabled
Compare: https://github.com/lxc/lxc/compare/8dd8072db77e...f0889ea12f4d
To unsubscribe from these emails, change your notification settings at https://github.com/lxc/lxc/settings/notifications
Home: https://github.com/lxc/lxc
Commit: b89ed0a8e6cb48016f5dac68100e4f47003aeb62
https://github.com/lxc/lxc/commit/b89ed0a8e6cb48016f5dac68100e4f47003aeb62
Author: Fabian Grünbichler <f.gruen...@proxmox.com>
Date: 2025-11-20 (Thu, 20 Nov 2025)
Changed paths:
M src/lxc/lsm/apparmor.c
Log Message:
-----------
apparmor: skip /proc and /sys restrictions if nesting is enabled
If nesting is enabled, it's already possible to mount your own
instance of both procfs and sysfs inside the container, so protecting
the "original" ones at /proc and /sys makes no sense, but breaks
certain nested container setups.
See: https://github.com/lxc/incus/pull/2624/commits/1fbe4bffb9748cc3b07aaf5db310d463c1e827d0
Signed-off-by: Fabian Grünbichler <f.gruen...@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lam...@proxmox.com>
Commit: f0889ea12f4d4adc4715dec89ebe754a69b750d2
https://github.com/lxc/lxc/commit/f0889ea12f4d4adc4715dec89ebe754a69b750d2
Author: Stéphane Graber <stgr...@stgraber.org>
Date: 2025-11-20 (Thu, 20 Nov 2025)
Changed paths:
M src/lxc/lsm/apparmor.c
Log Message:
-----------
Merge pull request #4609 from ThomasLamprecht/apparmor-no-proc-sys-restrictions-if-nested
apparmor: skip /proc and /sys restrictions if nesting is enabled
Compare: https://github.com/lxc/lxc/compare/8dd8072db77e...f0889ea12f4d
To unsubscribe from these emails, change your notification settings at https://github.com/lxc/lxc/settings/notifications
Reply all
Reply to author
Forward
0 new messages