Comment 10 for bug 2038567
Revision history for this message
| John Johansen (jjohansen) wrote Re: Mantic 6.5.0-7 kernel causes regression in LXD container usage | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
9199653
demo site
(Get the code!)
Thanks John,
it has been confirmed that
1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns - allow restricting unprivileged change_profile
is causing the issue. It has a sysctl to disable its behavior, but the sysctl can't be defaulted to off in the kernel. So to disable the sysctl, either
1. lxd needs to do it dynamically like it is doing for some other sysctls
2. we need the disable it at the system level
3. we revert the patch
For the time frame we are looking at, I recommend reverting the patch. Doing so will not materially affect the userns mediation feature. This patch is about closing off a confinement escape.