apparmor: skip /proc and /sys restrictions if nesting is enabled

Fabian-Gruenbichler · ThomasLamprecht · commit b89ed0a8e6cb · 2025-11-20T16:57:31.000+01:00
If nesting is enabled, it's already possible to mount your own instance of both procfs and sysfs inside the container, so protecting the "original" ones at /proc and /sys makes no sense, but breaks certain nested container setups. See: lxc/incus@1fbe4bf Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
@@ -170,6 +170,9 @@ static const char AA_PROFILE_BASE[] =
 "  mount options=(rw,move) /s[^y]*{,/**},\n"
 "  mount options=(rw,move) /sy[^s]*{,/**},\n"
 "  mount options=(rw,move) /sys?*{,/**},\n"
+"\n";
+
+static const char AA_PROFILE_BASE_NO_NESTING[] =
 "\n"
 "  # generated by: lxc-generate-aa-rules.py container-rules.base\n"
 "  deny /proc/sys/[^kn]*{,/**} wklx,\n"
@@ -755,6 +758,10 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
 	must_append_sized(&profile, &size, AA_PROFILE_BASE,
 	                  STRARRAYLEN(AA_PROFILE_BASE));
 
+	if (!conf->lsm_aa_allow_nesting)
+		must_append_sized(&profile, &size, AA_PROFILE_BASE_NO_NESTING,
+		                  STRARRAYLEN(AA_PROFILE_BASE_NO_NESTING));
+
 	append_all_remount_rules(&profile, &size);
 
 	if (ops->aa_supports_unix)
@@ -768,8 +775,10 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
 	if (ops->aa_can_stack && !ops->aa_is_stacked) {
 		char *namespace, *temp;
 
-		must_append_sized(&profile, &size, AA_PROFILE_STACKING_BASE,
-		                  STRARRAYLEN(AA_PROFILE_STACKING_BASE));
+
+		if (!conf->lsm_aa_allow_nesting)
+			must_append_sized(&profile, &size, AA_PROFILE_STACKING_BASE,
+			                  STRARRAYLEN(AA_PROFILE_STACKING_BASE));
 
 		namespace = apparmor_namespace(conf->name, lxcpath);
 		temp = must_concat(NULL, "  change_profile -> \":", namespace, ":*\",\n"
@@ -779,7 +788,7 @@ static char *get_apparmor_profile_content(struct lsm_ops *ops, struct lxc_conf *
 
 		must_append_sized(&profile, &size, temp, strlen(temp));
 		free(temp);
-	} else {
+	} else if (!conf->lsm_aa_allow_nesting) {
 		must_append_sized(&profile, &size, AA_PROFILE_NO_STACKING,
 		                  STRARRAYLEN(AA_PROFILE_NO_STACKING));
 	}
