Simon McVittie

> The bubblewrap errors that I am encountering are due to the above apparmor profile being permissive enough for nested LXC containers, but not permissive enough for whatever system calls...

> For the sake of testing without having to poke giant holes in my sandbox, can you tell me a bubblewrap command line I could use to test this chroot...

I think if you were using bubblewrap non-trivially (actually changing processes' view of the filesystem), you would find that the rules you found that you needed for pressure-vessel are also...

> I'm afraid `pivot_root` is known bypass for apparmor rules It depends on the AppArmor rules and how they are being used. If you're using AppArmor in a way that...

> I'm somewhat surprised you didn't also need to add options to mount a tmpfs below `/newroot`. Ah, I see this is because `/etc/apparmor.d/abstractions/lxc/container-base` already allows that.

> The thing is lxc apparmor profiles rely on apparmor blocking access to various sensitive files which are visible in container namesapce If that's the case, then it is not...

My opinion is the same here as in Flatpak: I'm OK with being one of multiple maintainers, but I'm not willing to be a single point of failure. (I'm not...

I'll see if I can get that set up in my fork (but I have a queue of things to get through today, so I might not get there soon).

> Agree, let's use GH actions. #417

@cgwalters, please could you disable whatever implements the `required` check? It seems to be permanently stuck. I had hoped that #418 would disable PAPR, but apparently not. #417 adds Github...