incusd/apparmor/lxc: Allow write access to /proc/sys/user #1937
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@zgttotev I don't really see a reason to block this when nesting isn't enabled as there's no real security concerns with allowing those knobs. Will be simpler to just always allow /proc/sys/user/ |
|
Fair enough. Wasn't sure the nesting exclusion was needed myself. |
Bubblewrap [2], used by Flatpak [3], attempts to disable further userns creation by writing 1 to `/proc/sys/user/max_user_namespaces` in a new userns, but this fails in a fresh unprivileged Incus container. This is safe even outside Bubblewrap's new userns because the files in `/proc/sys/user` are "the limits for the user namespace in which the opening process resides," [1] which is the Incus-created userns for the unprivileged container. Reproduce: ```bash incus launch -c security.nesting=true images:ubuntu/24.04 ubu incus shell ubu apt install bubblewrap # before changes bwrap --unshare-user --disable-userns nothing #=> bwrap: cannot open /proc/sys/user/max_user_namespaces: Permission denied # after changes bwrap --unshare-user --disable-userns nothing #=> bwrap: execvp nothing: No such file or directory ``` See: [1] `namespaces(7)`: The /proc/sys/user directory [2] <https://github.com/containers/bubblewrap/blob/main/bubblewrap.c#L3465> [3] <https://github.com/flatpak/flatpak/blob/main/common/flatpak-run.c#L2238> Signed-off-by: Gabriel Totev <gabriel.totev@zetier.com>
stgraber
approved these changes
Apr 14, 2025
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
May 10, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [lxc/incus](https://github.com/lxc/incus) | minor | `v6.11.0` -> `v6.12.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>lxc/incus (lxc/incus)</summary> ### [`v6.12.0`](https://github.com/lxc/incus/releases/tag/v6.12.0): Incus 6.12 [Compare Source](lxc/incus@v6.11.0...v6.12.0) ### Announcement https://discuss.linuxcontainers.org/t/incus-6-12-has-been-released/23556 #### What's Changed - doc: Fix missing OCI section by [@​stgraber](https://github.com/stgraber) in lxc/incus#1855 - doc: Fix config option reference on LINSTOR driver by [@​luissimas](https://github.com/luissimas) in lxc/incus#1857 - Add support for server-side filtering by instance name by [@​presztak](https://github.com/presztak) in lxc/incus#1856 - incusd/instance/lxc: Fix max gid when in a privileged container by [@​stgraber](https://github.com/stgraber) in lxc/incus#1859 - Fix some static analysis nits by [@​stgraber](https://github.com/stgraber) in lxc/incus#1860 - README: Fix typo by [@​stgraber](https://github.com/stgraber) in lxc/incus#1861 - Docs: correct restriction on `path` option by [@​gwenya](https://github.com/gwenya) in lxc/incus#1862 - lxd-to-incus: Fix typo in trigger by [@​stgraber](https://github.com/stgraber) in lxc/incus#1865 - incusd/instance/edk2: Limit test to UEFI architectures by [@​stgraber](https://github.com/stgraber) in lxc/incus#1866 - doc: Tweak ACME documentation by [@​stgraber](https://github.com/stgraber) in lxc/incus#1868 - instances/drivers/qemu: update user parameter for QEMU v9.1+ by [@​dnegreira](https://github.com/dnegreira) in lxc/incus#1871 - OCI improvements by [@​stgraber](https://github.com/stgraber) in lxc/incus#1873 - Support server-side filtering by [@​presztak](https://github.com/presztak) in lxc/incus#1872 - Enable filtering with the `all-projects` flag when listing images by [@​presztak](https://github.com/presztak) in lxc/incus#1874 - Improve migration by [@​stgraber](https://github.com/stgraber) in lxc/incus#1878 - incusd/storage: Add missing forwarding on snapshot list by [@​stgraber](https://github.com/stgraber) in lxc/incus#1882 - incusd/instance/common: Fix concurrent restarts by [@​stgraber](https://github.com/stgraber) in lxc/incus#1884 - Fix all static analysis in client/, shared/ and cmd/incus/ by [@​stgraber](https://github.com/stgraber) in lxc/incus#1883 - generate-database: Fix documentation for `ignore` by [@​breml](https://github.com/breml) in lxc/incus#1885 - incusd/response: Remove redundant line break in error by [@​stgraber](https://github.com/stgraber) in lxc/incus#1886 - RFC 3442 compliance in forknet dhcp client by [@​gwenya](https://github.com/gwenya) in lxc/incus#1887 - incus-agent: Retry mounts to avoid kernel races by [@​stgraber](https://github.com/stgraber) in lxc/incus#1888 - Address sets for nftables and OVN by [@​irhndt](https://github.com/irhndt) in lxc/incus#1728 - incusd/operations: Fix WaitGet on op failure by [@​stgraber](https://github.com/stgraber) in lxc/incus#1894 - Update list of compresors by [@​stgraber](https://github.com/stgraber) in lxc/incus#1892 - Add snapshot pre-fetching support by [@​stgraber](https://github.com/stgraber) in lxc/incus#1891 - incusd/instance/lxc: Use pre-existing PATH when not overridden by [@​stgraber](https://github.com/stgraber) in lxc/incus#1895 - incusd/acme: Include CA in generate certificate by [@​stgraber](https://github.com/stgraber) in lxc/incus#1897 - Usability improvements to incus-migrate by [@​stgraber](https://github.com/stgraber) in lxc/incus#1898 - client/incus: Fix non-constant format strings by [@​c4t3l](https://github.com/c4t3l) in lxc/incus#1899 - docs: mDNS setup for cluster HA by [@​MOZGIII](https://github.com/MOZGIII) in lxc/incus#1896 - Support filtering storage volumes by a single keyword by [@​presztak](https://github.com/presztak) in lxc/incus#1915 - incusd/instance/qemu: Clean leftover sockets on startup by [@​stgraber](https://github.com/stgraber) in lxc/incus#1916 - incusd: Implement Incus OS API forwarding by [@​stgraber](https://github.com/stgraber) in lxc/incus#1918 - Add generated documentation for network bridge by [@​NathanChase22](https://github.com/NathanChase22) in lxc/incus#1920 - doc: Use `$USER` instead of YOUR-USERNAME by [@​bjackman](https://github.com/bjackman) in lxc/incus#1922 - doc: Ignore link that's blocking Azure by [@​stgraber](https://github.com/stgraber) in lxc/incus#1924 - Storage bugfixes by [@​bensmrs](https://github.com/bensmrs) in lxc/incus#1923 - incusd/patches: Refresh OpenFGA model for address sets by [@​stgraber](https://github.com/stgraber) in lxc/incus#1925 - Add generated documentation for network forwards by [@​tonyn10](https://github.com/tonyn10) in lxc/incus#1926 - Add support for configurable logging targets by [@​presztak](https://github.com/presztak) in lxc/incus#1903 - Port tpm device documentation to gendoc by [@​saahirN](https://github.com/saahirN) in lxc/incus#1929 - Allow basic connectivity under nftables by [@​stgraber](https://github.com/stgraber) in lxc/incus#1930 - incusd/storage/zfs: Make CacheVolumeSnapshots failures non-fatal by [@​stgraber](https://github.com/stgraber) in lxc/incus#1931 - incusd/instance/lxc: Restrict unprivileged ping to recent kernels by [@​stgraber](https://github.com/stgraber) in lxc/incus#1934 - Implement SNAT as part of network forwards by [@​stgraber](https://github.com/stgraber) in lxc/incus#1935 - incusd/apparmor/lxc: Allow write access to /proc/sys/user by [@​zgttotev](https://github.com/zgttotev) in lxc/incus#1937 - incusd/instance/lxc: Defer calls to the scheduler by [@​stgraber](https://github.com/stgraber) in lxc/incus#1938 - shared/archive: Prevent xattr errors from crashing unsquashfs by [@​zgttotev](https://github.com/zgttotev) in lxc/incus#1939 - Extend use of ZFS pre-caching by [@​stgraber](https://github.com/stgraber) in lxc/incus#1941 - Add common aliases for add/create remove/delete/rm in the CLI by [@​joecwilson](https://github.com/joecwilson) in lxc/incus#1943 - feat: support access_token query parameter as JWT fallback by [@​irtaza9](https://github.com/irtaza9) in lxc/incus#1940 - Memory hotplug support for VMs by [@​presztak](https://github.com/presztak) in lxc/incus#1945 - incusd: Remove old routing logic by [@​stgraber](https://github.com/stgraber) in lxc/incus#1947 - Fix refresh migrations in cluster and speed up ZFS startup by [@​stgraber](https://github.com/stgraber) in lxc/incus#1946 - incusd/devices: Don't require a serial number for USB hotplug by [@​stgraber](https://github.com/stgraber) in lxc/incus#1949 - Move tls testing functions to tlstest by [@​nanjj](https://github.com/nanjj) in lxc/incus#1948 - Remove Rican7/retry dependency by [@​nanjj](https://github.com/nanjj) in lxc/incus#1952 - Port `proxy` device documentation to `gendoc` by [@​Abdomash](https://github.com/Abdomash) in lxc/incus#1953 - Port gpu device documentation to gendoc by [@​kmxtn](https://github.com/kmxtn) in lxc/incus#1954 - Port nic device documentation to gendoc by [@​rahafjrw](https://github.com/rahafjrw) in lxc/incus#1956 - Remove arping dependency by [@​ahmetfturhan](https://github.com/ahmetfturhan) in lxc/incus#1958 - Remove gocapability dependency by [@​nanjj](https://github.com/nanjj) in lxc/incus#1957 - Infiniband Device Documentation Ported to GenDoc by [@​AbhinavTiruvee](https://github.com/AbhinavTiruvee) in lxc/incus#1962 - Replace rebfig/cron/v3 with adhocore/gronx by [@​nanjj](https://github.com/nanjj) in lxc/incus#1959 - Update help of `incus storage list` by [@​stgraber](https://github.com/stgraber) in lxc/incus#1968 - shared/api/scriptlet: Add yaml struct tags by [@​breml](https://github.com/breml) in lxc/incus#1973 - incusd/storage/migration: Check instance size during migration by [@​stgraber](https://github.com/stgraber) in lxc/incus#1971 - Logfile for forknet dhcp by [@​gwenya](https://github.com/gwenya) in lxc/incus#1976 - Add dhcp static routes via 0.0.0.0 with link scope in forknet by [@​gwenya](https://github.com/gwenya) in lxc/incus#1977 - incusd/device/disk: Fix registration of custom volumes by [@​stgraber](https://github.com/stgraber) in lxc/incus#1980 - Add server side filtering for `incus profile list` by [@​Abdomash](https://github.com/Abdomash) in lxc/incus#1982 - Fix reference passing when yaml unmarshal by [@​nanjj](https://github.com/nanjj) in lxc/incus#1984 - Various fixes by [@​stgraber](https://github.com/stgraber) in lxc/incus#1983 - scriptlet: Return proper error by [@​breml](https://github.com/breml) in lxc/incus#1986 - incusd/instance: Also consider local CPU flags by [@​stgraber](https://github.com/stgraber) in lxc/incus#1987 - Cap maximum VM memory to match host memory total by [@​stgraber](https://github.com/stgraber) in lxc/incus#1988 #### New Contributors - [@​dnegreira](https://github.com/dnegreira) made their first contribution in lxc/incus#1871 - [@​c4t3l](https://github.com/c4t3l) made their first contribution in lxc/incus#1899 - [@​MOZGIII](https://github.com/MOZGIII) made their first contribution in lxc/incus#1896 - [@​NathanChase22](https://github.com/NathanChase22) made their first contribution in lxc/incus#1920 - [@​bjackman](https://github.com/bjackman) made their first contribution in lxc/incus#1922 - [@​tonyn10](https://github.com/tonyn10) made their first contribution in lxc/incus#1926 - [@​saahirN](https://github.com/saahirN) made their first contribution in lxc/incus#1929 - [@​zgttotev](https://github.com/zgttotev) made their first contribution in lxc/incus#1937 - [@​joecwilson](https://github.com/joecwilson) made their first contribution in lxc/incus#1943 - [@​irtaza9](https://github.com/irtaza9) made their first contribution in lxc/incus#1940 - [@​Abdomash](https://github.com/Abdomash) made their first contribution in lxc/incus#1953 - [@​kmxtn](https://github.com/kmxtn) made their first contribution in lxc/incus#1954 - [@​rahafjrw](https://github.com/rahafjrw) made their first contribution in lxc/incus#1956 - [@​ahmetfturhan](https://github.com/ahmetfturhan) made their first contribution in lxc/incus#1958 - [@​AbhinavTiruvee](https://github.com/AbhinavTiruvee) made their first contribution in lxc/incus#1962 **Full Changelog**: lxc/incus@v6.11.0...v6.12.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4xMS4yIiwidXBkYXRlZEluVmVyIjoiNDAuMTEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90Il19-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bubblewrap [2], used by Flatpak [3], attempts to disable further userns creation by writing 1 to
/proc/sys/user/max_user_namespacesin a new userns, but this fails in a fresh unprivileged Incus container. This is safe even outside Bubblewrap's new userns because the files in/proc/sys/userare "the limits for the user namespace in which the opening process resides," [1] which is the Incus-created userns for the unprivileged container.Reproduce:
See:
[1]
namespaces(7): The /proc/sys/user directory[2] https://github.com/containers/bubblewrap/blob/main/bubblewrap.c#L3465
[3] https://github.com/flatpak/flatpak/blob/main/common/flatpak-run.c#L2238