Update 0001-nesting-Extend-mount-permissions-in-apparmor-to-allo.patch
Add /run/systemd/mount-rootfs/ to the list of allowed rw,rbind mounts in the default nesting apparmor profile.
On a trixie host running an unprivileged container as a non-root user, several systemd services with restrictions enabled fail to start, such as systemd-networkd. On the host I see
[ 133.097529] audit: type=1400 audit(1761509331.076:122): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1058 comm="(resolved)" srcname="/" flags="rw, rbind"
[ 133.104535] audit: type=1400 audit(1761509331.084:123): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1076 comm="(resolved)" srcname="/" flags="rw, rbind"
[ 133.107038] audit: type=1400 audit(1761509331.088:124): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1078 comm="(md-udevd)" srcname="/" flags="rw, rbind"
[ 133.112981] audit: type=1400 audit(1761509331.092:125): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1083 comm="(md-udevd)" srcname="/" flags="rw, rbind"
[ 133.113513] audit: type=1400 audit(1761509331.092:126): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1080 comm="(resolved)" srcname="/" flags="rw, rbind"
[ 133.120407] audit: type=1400 audit(1761509331.100:127): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1086 comm="(md-udevd)" srcname="/" flags="rw, rbind"
[ 133.120610] audit: type=1400 audit(1761509331.100:128): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1085 comm="(resolved)" srcname="/" flags="rw, rbind"Extending the existing patch to also allow the read-write bind mounting of /run/systemd/mount-rootfs/ within the container allows the services to start. There's then messages about denying pivotroot, but the services seem to be running alright.
[ 43.510771] audit: type=1400 audit(1761508158.634:122): apparmor="DENIED" operation="pivotroot" class="mount" profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1216 comm="(md-udevd)" srcname="/run/systemd/mount-rootfs/"
[ 43.512532] audit: type=1400 audit(1761508158.638:123): apparmor="DENIED" operation="pivotroot" class="mount" profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1211 comm="(resolved)" srcname="/run/systemd/mount-rootfs/"
[ 43.563000] audit: type=1400 audit(1761508158.686:124): apparmor="DENIED" operation="pivotroot" class="mount" profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1229 comm="(networkd)" srcname="/run/systemd/mount-rootfs/"
[ 43.662709] audit: type=1400 audit(1761508158.786:125): apparmor="DENIED" operation="pivotroot" class="mount" profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1243 comm="(d-logind)" srcname="/run/systemd/mount-rootfs/"
[ 46.994116] audit: type=1400 audit(1761508162.126:127): apparmor="DENIED" operation="pivotroot" class="mount" profile="lxc-container-default-with-nesting" name="/run/systemd/mount-rootfs/" pid=1271 comm="(ostnamed)" srcname="/run/systemd/mount-rootfs/"I think this should be OK, and I'm not sure exactly when /run/systemd/mount-rootfs/ became important to systemd. I'd like to get an ACK/NACK from @peb before merging, though.