This is another difference with the apparmor 4.0 userspace. We need to
explicitly enable user namespaces in the generated profile - at least
when nesting is enabled.
Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
---
src/PVE/LXC.pm | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 741bb33..b922ba1 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -595,6 +595,7 @@ sub make_apparmor_config {
# We use abi/4.0 which has its own mqueue class which governs access to
/dev/mqueue now.
# This is currently not default in lxc's profile, so we enable it
explicitly.
+ # FIXME: once lxc's profiles are based on abi/4.0 this should not be
required.
$raw .= "lxc.apparmor.raw = allow mqueue,\n";
my @profile_uses;
@@ -612,6 +613,8 @@ sub make_apparmor_config {
if ($features->{nesting}) {
push @profile_uses, 'features:nesting';
$raw .= "lxc.apparmor.allow_nesting = 1\n";
+ # FIXME: once lxc's profiles are based on abi/4.0 this should not be
required.
+ $raw .= "lxc.apparmor.raw = allow userns,\n";
} else {
# In the default profile in /etc/apparmor.d we patch this in because
# otherwise a container can for example run `chown` on /sys, breaking
--
2.47.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
