How to use mount in unprivileged container?

catfish · April 15, 2026, 12:42pm

Please, I can’t figure it out. No security is concerned as long as it remains unprivileged, but it will be kind i you tell me about security risks.

Just show me steps how to mount an img file in unprivileged container will be enough.

Thanks in advance.

stgraber · April 15, 2026, 5:09pm

The kernel doesn’t allow unprivileged mount in general, at least outside of virtual filesystems like tmpfs.

Incus has some limited support for bypassing that restriction with the security.syscalls.intercept.mount config keys, but that only handles a limit of cases.

Anyway, you can try setting:

security.syscalls.intercept.mount=true
security.syscalls.intercept.mount.allowed=ext4
security.syscalls.intercept.mount.shift=true

That would specifically allow ext4, but you can list more filesystems in there (comma separated).

catfish · April 16, 2026, 2:53pm

OK, I did mounted the img file as you said. But why after I mounted the img file in /mnt/img, everything in the folder is owned by nobody:nogroup? Please help me once again, I only need to know how can they be owned by root:root.

simos · April 16, 2026, 7:46pm

See the rest of the documentation at System call interception - Incus documentation and the part about security.syscalls.intercept.mount.shift.

Can you show the simplest working example of such a mount of a filesystem image?

catfish · April 17, 2026, 2:49am

Yes.

lxc@vnc:~$ sudo mount -o ro openwrt-25.12.2-x86-generic-generic-ext4-rootfs.img /mnt/img/
lxc@vnc:~$ ls -alh /mnt/img/
总计 68K
drwxr-xr-x 17 nobody nogroup 4.0K  3月26日 04:09 .
drwxr-xr-x  6 root   root    4.0K  4月17日 10:27 ..
drwxr-xr-x  2 nobody nogroup 4.0K  3月26日 04:09 bin
drwxr-xr-x  2 nobody nogroup 4.0K  3月26日 04:09 dev
drwxr-xr-x 26 nobody nogroup 4.0K  3月26日 04:09 etc
drwxr-xr-x 11 nobody nogroup 4.0K  3月26日 04:09 lib
drwx------  2 nobody nogroup 4.0K 1970年 1月 1日 lost+found
drwxr-xr-x  2 nobody nogroup 4.0K  3月26日 04:09 mnt
drwxr-xr-x  2 nobody nogroup 4.0K  3月26日 04:09 overlay
drwxr-xr-x  2 nobody nogroup 4.0K  3月26日 04:09 proc
drwxr-xr-x  2 nobody nogroup 4.0K  3月26日 04:09 rom
drwxr-x---  2 nobody nogroup 4.0K  3月26日 04:09 root
drwxr-xr-x  2 nobody nogroup 4.0K  3月26日 04:09 sbin
drwxr-xr-x  2 nobody nogroup 4.0K  3月26日 04:09 sys
drwxr-xr-x  2 nobody nogroup 4.0K  3月26日 04:09 tmp
drwxr-xr-x  7 nobody nogroup 4.0K  3月26日 04:09 usr
lrwxrwxrwx  1 nobody nogroup    3  3月26日 04:09 var -> tmp
drwxr-xr-x  4 nobody nogroup 4.0K  3月26日 04:09 www

And this is the profile:

config:
  security.syscalls.intercept.mount: "true"
  security.syscalls.intercept.mount.allowed: ext4
  security.syscalls.intercept.mount.shift: "true"
description: Incus profile for mount inside container
devices:
  loop:
    gid: "6"
    path: /dev/loop-control
    source: /dev/loop-control
    type: unix-char
  loop0:
    gid: "6"
    path: /dev/loop0
    source: /dev/loop0
    type: unix-block
  loop1:
    gid: "6"
    path: /dev/loop1
    source: /dev/loop1
    type: unix-block
  loop2:
    gid: "6"
    path: /dev/loop2
    source: /dev/loop2
    type: unix-block
  loop3:
    gid: "6"
    path: /dev/loop3
    source: /dev/loop3
    type: unix-block
  loop4:
    gid: "6"
    path: /dev/loop4
    source: /dev/loop4
    type: unix-block
  loop5:
    gid: "6"
    path: /dev/loop5
    source: /dev/loop5
    type: unix-block
  loop6:
    gid: "6"
    path: /dev/loop6
    source: /dev/loop6
    type: unix-block
  loop7:
    gid: "6"
    path: /dev/loop7
    source: /dev/loop7
    type: unix-block
name: mount

It seems like security.syscalls.intercept.mount.shift doesn’s work as expect.

simos · April 17, 2026, 10:17am

Thanks!

I think the overall process is quite tricky because there is no information shown in the logs when you get an error. I suppose also AppArmor could be involved as well. What’s needed, are instructions on creating an Incus VM of the appropriate image, and in there create a container using an appropriate container image. Perhaps Alpine VM with Alpine container?

The alternative is to add the disk image on your storage pool and then attach to the container. Do you have a use-case where this would not work well?

catfish · April 17, 2026, 10:27am

Everything is about waydroid. In unprivilege container, to start waydroid, it need kernel support binder and mount img file and something about bpf. But after mount img file, everything is owned by nobody:nogroup, waydroid can’t read, so waydroid container won’t start.

simos · April 17, 2026, 11:12am

Waydroid uses LXC. When you run it in an Incus container, do you enable security.nesting?
Or, are you trying to port Waydroid to use Incus containers instead of LXC?

catfish · April 17, 2026, 11:56am

Of cause I enabled security.nesting, I can run lxc-start in container. I just want to run Waydroid in a Incus container, but ran into too many troubles. Just trying to solve trouble one by one.

catfish · April 17, 2026, 12:15pm

Ok, it’s really AppArmor thing, after setting this, mounted path is owned by root:root.

config:
  raw.lxc: |
    lxc.apparmor.profile=unconfined

This topic is closed. I need to find out why waydroid lxc container failed to pin rootfs.