incusd/apparmor/lxc: Don't bother with sys/proc protections when nest…

[stgraber]

…ing enabled

When nesting is enabled, it's possible for the container to get a clean copy of /proc or /sys mounted anywhere without AppArmor being able to mediate. So there's little point in trying to apply safety checks on top of the main /proc and /sys.

On top of that, we've recently discovered that AppArmor doesn't properly handle file access relative to a file descriptor, causing a bunch of those checks to deny access when they shouldn't.

Closes #2623

[elangelo]

I was trying out this fix. I have Ubuntu Noble. I checked the lts, stable and noble suites and all of them only contain version 6.0.5 which I think does not contain this fix?
28 minutes later... no idea what just happened but all of a sudden 6.18 is available...

[hamboosh478]

Sorry, total noob here. I am using LXCs on TrueNAS (which uses Incus). Previously had ptero set up and working. Had to rebuild it, and now I see that there is this issue with LXCs ... do we know if there will be a fix any time soon? Thanks so much.

[stgraber]

@hamboosh478 that's up to the TrueNAS team. We don't control what version of Incus and what fixes get backported by specific distributions.

[hamboosh478]

Right, thanks. One last question: Is this a bug stemming from the specific incus version? And if not then what is the source?

[ireun]

@Thomas-Langford I think you should look at this: opencontainers/runc#4968

[lukasz-zaroda]

Is this fix coming to the Incus 6.0.x LTS? My setup also got broken.

[stgraber]

We'll be tagging 6.0.6 LTS in the next 2-3 weeks, but whether distros pick it up and when is completely up to them.