What does security.nesting=true?

Hi
Thanks again to the community (and namely Stéphane) for all the answers we - and I - get on this forum!

I was in real trouble with AppArmor of my Debian Buster Host trying to make Mariadb and Redis work in my Debian Buster container (with LXD 3.22). Neither Mariadb nor Redis could start and I was getting this on the host:

Mariadb:
apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-cloud_</var/snap/lxd/common/lxd>” name="/run/systemd/unit-root/bin/" pid=2027 comm="(mysqld)" flags=“ro, remount, noatime, bind”

Redis-server (s-server…)
apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-cloud_</var/snap/lxd/common/lxd>” name="/run/systemd/unit-root/" pid=2308 comm="(s-server)" flags=“ro, remount, noatime, bind”

I finally fixed it after adapting that solution for LXC, by setting security.nesting=true on my container.

But :

  1. What does security.nesting=true (I couldn’t find some documentation about it.)? Which security impact does it has?
  2. Is that the right solution for the AppArmor error I listed above?

Thank you for your help!

No real security impact for unprivileged containers, rather disastrous security impacts for privileged containers (it allows bypassing apparmor and accessing /proc and /sys in unsafe ways).

It’s not a real solution but it’s a working solution. The real solution would be to have apparmor’s parser not be horribly broken when it comes to mount handling… we’ve been reporting issues upstream for a number of years (look for mount in their bug tracker), a bunch of those are effectively security issues (some are private because of that). We wish the apparmor project would dedicate more time to fixing those, extending the mount handling and more actively test this feature, but there’s only so much that as users, we can do.

Thanks a lot (my CT is unprivileged).
Would you have some doc or some link about what secruity.nesting does/brings ?

Nope, other than it’s standing description that it allows for nested containers like running LXC, LXD or Docker inside a LXD container.