https://github.com/lxc/lxd/issues/5439#issuecomment-461257784
> The fix in LXD is only partial because there's currently no safe way for us to fix that for privileged containers due to an apparmor parser bug that the AppArmor team is still working on. So we've made the change only to the unprivileged policy for now as the AppArmor bug isn't causing too much damage in that case. There's no such distinction in profile in LXC, so putting those same lines in the LXC policy would allow every user to bypass all mount protections, which isn't acceptable from a security point of view. So the LXC fix is effectively blocked on the AppArmor security bug being resolved first. ** This bug is no longer a duplicate of bug 1813622 systemd-resolved, systemd-networkd and others fail to start in lxc container with v240 systemd ** Bug watch added: LXD bug tracker #5439 https://github.com/lxc/lxd/issues/5439 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1811248 Title: systemd--networkd mounts denied for lxc guest Status in apparmor package in Ubuntu: New Bug description: Host unbuntu cosmic | lxc 3.0.3 | aa 2.12 | systemd 239-7 Guest Arch Linux | systemd 240.0 After having upgraded in the guest systemd from 239.370 to 240.0 the host's AA is exhibiting > audit: type=1400 audit(1547125168.853:722): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc- container-default-cgns" name="/" pid=8426 comm="(networkd)" flags="rw, rslave" and the guest > systemd-networkd.service: Failed to set up mount namespacing: Permission denied > systemd-networkd.service: Failed at step NAMESPACE spawning /usr/lib/systemd/systemd-networkd: Permission denied According to lxc bug tracker https://github.com/lxc/lxc/issues/2778 > While we'd like to allow such mounts we cannot do so until the apparmor_parser is fixed to handle them correctly. other cross references https://github.com/systemd/systemd/issues/11371 https://bugs.archlinux.org/task/61313 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1811248/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
