LXD hide proc of others users in LXD


i try to hide process of others users under LXD container by especially mounting /proc on physical host with this line :
proc /proc proc remount,rw,hidepid=2,noexec,nosuid,nodev 0 0
But, it doesn’t affect mount on LXD container.
I also try to modify apparmor config with lxc-default-cgns file:

mount options=(rw, nosuid, nodev, noexec, remount, silent, relatime) -> /proc/,

It doesn’t run.

Best regards.

More informatons : lxd version is on 3.7 and managed by snap.

The containers get their own mount of proc, so you probably should be changing the fstab in the container to mount proc with the options you want.

I dit it without success.Proc has been mounted with hidepid=2 options but I always see processus which doesn’t own me.
When i run mount command on container, it displays File systems mounted on physical host. When i run more /etc/fstab, it displays :
/dev/root / rootfs defaults 0 0
proc /proc proc remount,rw,hidepid=2,noexec,nosuid,nodev 0 0

But , i always see process of others users under container.

@brauner think that’s a kernel bug?

There is a procfs remount bug but I’m not sure if it is related here. If it is this bug than the plan was to fix this in the new mount api. Let me try and reproduce.

This works for me at least when I manually do the remount. Please note, that as root users you will still see all of the processes. The users in the group specified via gid will also see all processes.

Here is kernel version and OS of physical host : ubuntu LTS18.04.1LTS
kernel generic

Which command did you run manually to remount /proc under container, please?

lxc.apparmor.profile = unconfinged

Then in the container:

mount -o remount,nosuid,noexec,nodev,hidepid=2,gid=1001 /proc

I m using lxd 3.7 via snap. It doesn’t know “lxc.apparmor.profile” key when i try to set it to my container.
Further more, when i remount manually like you, container systems displays :
mount: cannot remount block device proc read-write, is write-protected

I succeed setting lxc.apparmor.profile to container. But impossible to remount /proc like it s managed by something else, even after reboot.

I do a mistake on my previous posts :
File sytems mounted on container is different than physical host for /proc

On container:
roc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
lxcfs on /proc/cpuinfo type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/diskstats type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/meminfo type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/stat type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/swaps type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/uptime type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)

On physical host :
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime,hidepid=2)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=35,pgrp=1,timeout=0,minproto=5,maxproto=5,direct)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)

@brauner @stgraber thanks i succeed hiding process of other users when i run exactly your command with gid options.

Do you know if there is a way to mount /proc like this, when i launch this container, instead of remounting /proc when container is ever launched ?

No but adding the entry to /etc/fstab in the container should cause it to remount itself on boot before anything else starts up.

Ok, i think more. It’s annoying to unconfined container in order to customize proc mounting. It will be better to let container with apparmor profile and customize proc mounting. But, it seems very difficult to do it.