Ubuntu 24.04 AppArmor breaks pivot_root inside LXD containers

[WereCatf]

Required information

• Distribution: Ubuntu
• Distribution version: 24.04
• The output of "snap list --all lxd core20 core22 core24 snapd":

Name    Version         Rev    Tracking       Publisher   Notes
core22  20240408        1380   latest/stable  canonical✓  base
lxd     5.21.1-98dad8f  28323  5.21/stable/…  canonical✓  -
snapd   2.62            21465  latest/stable  canonical✓  snapd

• The output of "lxc info" or if that fails:
  • Kernel version: 6.8.0-31-generic
  • LXC version: 5.21.1 LTS
  • LXD version: 5.21.1 LTS
  • Storage backend in use: Btrfs

Issue description

Attempting to run e.g. docker run hello-world inside a container fails even with security.nesting enabled. Docker spits out the following error:

docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error jailing process inside rootfs: pivot_root .: permission denied: unknown.
ERRO[0000] error waiting for container:

Dmesg shows an AppArmor error after attempting to run Docker: [ 108.876252] audit: type=1400 audit(1714085791.618:236): apparmor="DENIED" operation="pivotroot" class="mount" namespace="root//lxd-testi_<var-snap-lxd-common-lxd>" profile="runc" name="/var/lib/docker/overlay2/9664d056286b3d0a93188f5fd09aba3fd82a6326c6ab7c9e3197a99996078eff/merged/" pid=2580 comm="runc:[2:INIT]" srcname="/var/lib/docker/overlay2/9664d056286b3d0a93188f5fd09aba3fd82a6326c6ab7c9e3197a99996078eff/merged/"

Steps to reproduce

1. Install Ubuntu 24.04
2. Set up LXD and launch a container with security.nesting=true
3. Attempt to run a Docker container inside the container