After enabling security.nesting, I noticed that an additional proc filesystem is mounted at /dev/.lxc/proc, and it appears to be effectively the same as /proc.
This makes the purpose of /dev/.lxc/proc unclear to me. I have searched extensively, but I have not been able to find any in-depth explanation or design rationale for this behavior.
The Linux kernel has a protection mechanism where a filesystem which is only visible to users with additional mounts over it (over-mounted) will not be allowed for mounting by unprivileged users inside of a mount namespace.
That’s because the over-mounting could have been used by the administrator to hide sensitive part of the filesystem.
That protection can get in the way of running nested containers depending on what may have been mounted over /proc or /sys by the system.
To avoid the issue, we mount clean copies of both filesystems under /dev and then use AppArmor to prevent any actual access to them through that path.
This clears the kernel check while limiting the amount of visible confusion on the system.