I'm coming from https://github.com/lxc/lxd/issues/6799 where daemons inside containers are unable to get proper mount namespace setup due to what seems like an Apparmor bug (this one?).
Starting systemd-networkd inside a container (foo) will generate this:
this causes the entire FS tree as seen by systemd-networkd to remain read-write and visible. This is despite having the following restrictions supposedly applied:
ProtectSystem is supposed to have everything remounted as read-only and ProtectHome is supposed to make /home and /root inaccessible. None of this works and I find it worrying :/
I'm coming from https:/ /github. com/lxc/ lxd/issues/ 6799 where daemons inside containers are unable to get proper mount namespace setup due to what seems like an Apparmor bug (this one?).
Starting systemd-networkd inside a container (foo) will generate this:
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile= "lxd-foo_ </var/snap/ lxd/common/ lxd>" name="/ run/systemd/ unit-root/ " pid=2338 comm="(networkd)" flags="ro, remount, noatime, bind"
this causes the entire FS tree as seen by systemd-networkd to remain read-write and visible. This is despite having the following restrictions supposedly applied:
$ systemctl cat systemd-networkd | grep -E 'Protect( Home|System) ' =strict
ProtectSystem
ProtectHome=yes
ProtectSystem is supposed to have everything remounted as read-only and ProtectHome is supposed to make /home and /root inaccessible. None of this works and I find it worrying :/