[lxc/lxc] 49bb4f: [nesting] Extend mount permissions in apparmor to ...
0 views
Skip to first unread message
Stéphane Graber
Mar 23, 2026, 1:45:39 PMMar 23
to lxc-...@lists.linuxcontainers.org
Branch: refs/heads/main
Home: https://github.com/lxc/lxc
Commit: 49bb4fad11f549942631e3f78b8ca052e4024000
https://github.com/lxc/lxc/commit/49bb4fad11f549942631e3f78b8ca052e4024000
Author: Pierre-Elliott Bécue <p...@debian.org>
Date: 2026-03-23 (Mon, 23 Mar 2026)
Changed paths:
M config/apparmor/profiles/lxc-default-with-nesting
Log Message:
-----------
[nesting] Extend mount permissions in apparmor to allow systemd services' restrictions to work
These options allow systemd security features to work. In particular
cases, it helps with systemd-logind and program like this
It's only added in nesting profile as nesting implies some leniency
anyway. It would pose more risks in privileged or
unprivileged-without-nesting situations.
mount options=(rw,rbind) -> /run/systemd/mount-rootfs/,
mount options=(rw,rbind) -> /run/systemd/mount-rootfs/**,
mount options=(rw,rbind) -> /run/systemd/unit-root/,
mount options=(rw,rbind) -> /run/systemd/unit-root/**,
mount options=(rw,rshared) -> /,
mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/,
Signed-off-by: Pierre-Elliott Bécue <p...@debian.org>
Commit: 3ee89c5d95ee8f31bd81623fd73ad7beea4297f8
https://github.com/lxc/lxc/commit/3ee89c5d95ee8f31bd81623fd73ad7beea4297f8
Author: Stéphane Graber <stgr...@stgraber.org>
Date: 2026-03-23 (Mon, 23 Mar 2026)
Changed paths:
M config/apparmor/profiles/lxc-default-with-nesting
Log Message:
-----------
Merge pull request #4668 from P-EB/feature/extend_nested_perms
[nesting] Extend mount permissions in apparmor to allow systemd servi…
Compare: https://github.com/lxc/lxc/compare/a6c80ffcece8...3ee89c5d95ee
To unsubscribe from these emails, change your notification settings at https://github.com/lxc/lxc/settings/notifications
Home: https://github.com/lxc/lxc
Commit: 49bb4fad11f549942631e3f78b8ca052e4024000
https://github.com/lxc/lxc/commit/49bb4fad11f549942631e3f78b8ca052e4024000
Author: Pierre-Elliott Bécue <p...@debian.org>
Date: 2026-03-23 (Mon, 23 Mar 2026)
Changed paths:
M config/apparmor/profiles/lxc-default-with-nesting
Log Message:
-----------
[nesting] Extend mount permissions in apparmor to allow systemd services' restrictions to work
These options allow systemd security features to work. In particular
cases, it helps with systemd-logind and program like this
It's only added in nesting profile as nesting implies some leniency
anyway. It would pose more risks in privileged or
unprivileged-without-nesting situations.
mount options=(rw,rbind) -> /run/systemd/mount-rootfs/,
mount options=(rw,rbind) -> /run/systemd/mount-rootfs/**,
mount options=(rw,rbind) -> /run/systemd/unit-root/,
mount options=(rw,rbind) -> /run/systemd/unit-root/**,
mount options=(rw,rshared) -> /,
mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/,
Signed-off-by: Pierre-Elliott Bécue <p...@debian.org>
Commit: 3ee89c5d95ee8f31bd81623fd73ad7beea4297f8
https://github.com/lxc/lxc/commit/3ee89c5d95ee8f31bd81623fd73ad7beea4297f8
Author: Stéphane Graber <stgr...@stgraber.org>
Date: 2026-03-23 (Mon, 23 Mar 2026)
Changed paths:
M config/apparmor/profiles/lxc-default-with-nesting
Log Message:
-----------
Merge pull request #4668 from P-EB/feature/extend_nested_perms
[nesting] Extend mount permissions in apparmor to allow systemd servi…
Compare: https://github.com/lxc/lxc/compare/a6c80ffcece8...3ee89c5d95ee
To unsubscribe from these emails, change your notification settings at https://github.com/lxc/lxc/settings/notifications
Reply all
Reply to author
Forward
0 new messages