Right, libvirt-lxc isn't LXC (even though they sort of stole the name) and is indeed completely unsafe...
As for the rest, I'm happy to report that you misread the apparmor profile and that we thought of and blocked all of those from the beginning as is shown below:
root@lxc-dev:/# echo abc > /sys/kernel/uevent_helper
bash: /sys/kernel/uevent_helper: Permission denied
Right, libvirt-lxc isn't LXC (even though they sort of stole the name) and is indeed completely unsafe...
As for the rest, I'm happy to report that you misread the apparmor profile and that we thought of and blocked all of those from the beginning as is shown below: uevent_ helper uevent_ helper: Permission denied
root@lxc-dev:/# echo abc > /sys/kernel/
bash: /sys/kernel/
root@lxc-dev:/# echo abc > /sys/class/ mem/null/ uevent mem/null/ uevent: Permission denied
bash: /sys/class/
root@lxc-dev:/# mount -t sysfs syfs /mnt
mount: block device syfs is write-protected, mounting read-only
mount: cannot mount block device syfs read-only
root@lxc-dev:/# mount --bind /sys /mnt
mount: block device /sys is write-protected, mounting read-only
mount: cannot mount block device /sys read-only