Package: liblxc-common
Version: 1:6.0.4-4+b3
It seems the fix for #1098521 (0003-apparmor-4x-userns.patch) is
incomplete and a hunk for config/apparmor/abstractions/container-base
(without .in) is missed.
I have experienced issues with non-root unprivileged containers after
upgrade to Debian 13 trixie. Systemd units with User=... directive fail
(trixie container, download template, e.g. systemd-networkd.service),
applications can not create namespaces for additional isolation even in
Debian 12 bookworm containers.
Container:
systemd[1]: systemd-resolved.service: Main process exited,
code=exited, status=217/USER
Host:
audit: type=1400 audit(1766123064.132:280): apparmor="DENIED"
operation="userns_create" class="namespace"
profile="lxc-container-default-cgns"
I have found #1098521 that is fixed, but "userns," line is missed in
/etc/apparmor.d/abstractions/lxc/container-base. Accordingly to
config/apparmor/README the file needs explicit manual update after
modification of the ".in" template. I expect that the applied fix is
enough for "generated" AppArmor profile for containers running by root,
but not for non-root containers.
I have noticed #1111087, but the related merge requests modifies mount
rules.
I hope, adding "userns," to container-base will not ruin isolation of
privileged containers.
The following workaround allows avoid issues for non-root fully
unprivileged containers:
Add "userns," line in the beginning of /etc/apparmor.d/abstractions/lxc/
container-base and run
apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers
Alternatively if namespaces are not necessary for applications running
inside containers then isolation of specific systemd units with User=
directives may be relaxed for trixie guests
/etc/systemd/system/systemd-networkd.service.d/disable-namesplaces.conf
LockPersonality=no
MemoryDenyWriteExecute=no
ProtectClock=no
ProtectKernelLogs=no
ProtectKernelModules=no
RestrictAddressFamilies=
RestrictNamespaces=no
RestrictRealtime=no
RestrictSUIDSGID=no
SystemCallArchitectures=
SystemCallFilter=
# E.g. systemd-networkd should have it
PrivateDevices=no
PrivateTmp=no
# for polkit.service
ProtectHostname=no
# Added by recent versions lxc generator
# for "download" template,
# it may be necessary for upgraded containers.
ImportCredential=
PrivateNetwork=no
Unless constant troubles with kernel and AppArmor bugs causing issues
with non-root containers I would set higher priority to this issue.
Please, consider update of 0003-apparmor-4x-userns.patch to add a hunk with
userns,
for the config/apparmor/abstractions/container-base file.
