Comment 15 for bug 1878225
Revision history for this message
| Stéphane Graber (stgraber) wrote Re: snapd.seeded.service waits forever (?) to have snaps seeded in LXD on s390x and arm64 | #15 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Looks like a privileged container without nesting enabled. This gets some pretty strict apparmor rules to prevent trivial privilege escalation. I'm not sure that there's really much that can be done here especially considering the many issues with apparmor and its mount rules.
We allow a lot more in unprivileged containers because we don't really rely on apparmor there for security and so can relax rules quite a bit to make systemd and others happy. This relaxing makes bypass of mount rules trivial but the user namespace is the enforcement mechanism in that case and will prevent you from escaping.