[pkg-lxc-devel] Bug#1124515: Namespaces are unavailable for non-root containers

[Max Nikulin]

Package: liblxc-common
Version: 1:6.0.4-4+b3

It seems the fix for #1098521 (0003-apparmor-4x-userns.patch) is
incomplete and a hunk for config/apparmor/abstractions/container-base
(without .in) is missed.

I have experienced issues with non-root unprivileged containers after
upgrade to Debian 13 trixie. Systemd units with User=... directive fail
(trixie container, download template, e.g. systemd-networkd.service),
applications can not create namespaces for additional isolation even in
Debian 12 bookworm containers.

Container:

     systemd[1]: systemd-resolved.service: Main process exited, 
code=exited, status=217/USER

Host:

     audit: type=1400 audit(1766123064.132:280): apparmor="DENIED" 
operation="userns_create" class="namespace" 
profile="lxc-container-default-cgns"

I have found #1098521 that is fixed, but "userns," line is missed in
/etc/apparmor.d/abstractions/lxc/container-base. Accordingly to
config/apparmor/README the file needs explicit manual update after
modification of the ".in" template. I expect that the applied fix is
enough for "generated" AppArmor profile for containers running by root,
but not for non-root containers.

I have noticed #1111087, but the related merge requests modifies mount
rules.

I hope, adding "userns," to container-base will not ruin isolation of
privileged containers.

The following workaround allows avoid issues for non-root fully
unprivileged containers:

Add "userns," line in the beginning of /etc/apparmor.d/abstractions/lxc/
container-base and run

     apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers

Alternatively if namespaces are not necessary for applications running
inside containers then isolation of specific systemd units with User=
directives may be relaxed for trixie guests

/etc/systemd/system/systemd-networkd.service.d/disable-namesplaces.conf

   LockPersonality=no
   MemoryDenyWriteExecute=no
   ProtectClock=no
   ProtectKernelLogs=no
   ProtectKernelModules=no
   RestrictAddressFamilies=
   RestrictNamespaces=no
   RestrictRealtime=no
   RestrictSUIDSGID=no
   SystemCallArchitectures=
   SystemCallFilter=
   # E.g. systemd-networkd should have it
   PrivateDevices=no
   PrivateTmp=no
   # for polkit.service
   ProtectHostname=no
   # Added by recent versions lxc generator
   # for "download" template,
   # it may be necessary for upgraded containers.
   ImportCredential=
   PrivateNetwork=no

Unless constant troubles with kernel and AppArmor bugs causing issues 
with non-root containers I would set higher priority to this issue.

Please, consider update of 0003-apparmor-4x-userns.patch to add a hunk with
     userns,
for the config/apparmor/abstractions/container-base file.