Tom Parrott
Tom Parrott
> lxd may need to grow some additional support around its handling of unprivileged user namespaces LXD the daemon runs as root and then launches unprivileged processes with their own...
Although is this going to break security.nesting=true?
@simondeziel do you have any capacity to help evaluate the impact of this?
what is `unprivileged unconfined`? I am not too familiar with apparmor? And how does all this relate to snaps?
Thanks for the extra info. This is done in the snap package wrappers: - https://github.com/canonical/lxd-pkg-snap/blob/2c294aa31f4ebf9862e232c1bf65de2e61492e81/snapcraft/wrappers/editor#L15 - https://github.com/canonical/lxd-pkg-snap/blob/2c294aa31f4ebf9862e232c1bf65de2e61492e81/snapcraft/wrappers/run-host#L12 - https://github.com/canonical/lxd-pkg-snap/blob/2c294aa31f4ebf9862e232c1bf65de2e61492e81/snapcraft/wrappers/remote-viewer#L14 My understanding is so these commands can perform an unprivileged chroot:...
Can we have the lxd package's unprivileged client commands run with an apparmor profile that has sufficient access?
@simondeziel yeah I think lxd itself is going to be ok as its root anyway and can load apparmor profiles. But for unprivileged `lxc` commands, would they be able to...
@mihalicyn because LXD runs as root and we already apply our own apparmor profile to containers when we launch them this shouldnt be too much of an issue. My main...
> LXD runs as root. But if you use nested container then a user namespace of a nested container have to be created from an unprivileged user. That's the issue....
> Maybe we could stop escaping it? Not without knowing why it does that - which I don't. Also, does that mean that when snap invokes the lxc tools they...