This is how we mount it manually for the container when it has dropped CAP_SYS_ADMIN:
mount("cgroup", "/usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/unified", "cgroup2", MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME, NULL) = 0
And this is how systemd mounts by itself in the container with the appropriate AppArmor deny: mount("cgroup", "/sys/fs/cgroup/unified", "cgroup2", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EACCES (Permission denied)
This is how we mount it manually for the container when it has dropped CAP_SYS_ADMIN:
mount("cgroup", "/usr/lib/ x86_64- linux-gnu/ lxc/sys/ fs/cgroup/ unified" , "cgroup2", MS_NOSUID| MS_NODEV| MS_NOEXEC| MS_RELATIME, NULL) = 0
And this is how systemd mounts by itself in the container with the appropriate AppArmor deny: cgroup/ unified" , "cgroup2", MS_NOSUID| MS_NODEV| MS_NOEXEC, NULL) = -1 EACCES (Permission denied)
mount("cgroup", "/sys/fs/