config/apparmor/abstractions/container-base | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 [apparmor.d] sets container-base accordingly to container-base.in

config/init/systemd/lxc.service.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [lxc.service] starts after remote-fs.target

config/apparmor/profiles/lxc-default-with-nesting | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [nesting] extend mount permissions in apparmor to allow systemd
 services' restrictions to work

These options allow systemd security features to work. In particular
cases, it helps with systemd-logind and program like this

It's only added in nesting profile as it could pose security risks on
privileged containers.

mount options=(rw,rbind) -> /run/systemd/unit-root/,
mount options=(rw,rbind) -> /run/systemd/unit-root/**,
mount options=(rw,rshared) -> /,
mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/,

config/init/common/lxc-net.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] lxc-net.in: fix nftables syntax for ipv6 nat

The nftables masquarade rule for IPv6 was using the IPv4 syntax. This
resulted in the following error when starting the lxc-net.service with
LXC_IPV6_NAT="true" and nftables:

    Feb 11 18:54:54 pc lxc-net[4936]: Error: conflicting protocols specified: ip6 vs. ip
    Feb 11 18:54:54 pc lxc-net[4936]:                              ^^^^^^^^
    Feb 11 18:54:54 pc lxc-net[4917]: Failed to setup lxc-net.
    Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE
    Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Failed with result 'exit-code'.
    Feb 11 18:54:54 pc systemd[1]: Failed to start LXC network bridge setup.

Signed-off-by: Quentin Lyons <36303164+n0p90@users.noreply.github.com>

src/lxc/conf.c | 21 12 + 9 - 0 !
src/lxc/conf.h | 4 2 + 2 - 0 !
src/lxc/confile.c | 4 2 + 2 - 0 !
src/lxc/storage/storage.c | 4 2 + 2 - 0 !
src/lxc/storage/storage.h | 2 1 + 1 - 0 !
5 files changed, 19 insertions(+), 16 deletions(-)

 [patch] conf: fix ephemeral copies

Don't rely on rootfs->bdev_type because that may be NULL. Use storage->type
instead which can't be NULL.

Co-Developed-by: Mathias Gibbens <gibmat@debian.org>
Signed-off-by: Mathias Gibbens <gibmat@debian.org>
Reported-by: Mathias Gibbens <gibmat@debian.org>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

src/lxc/conf.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch] avoid null pointer dereference when using shared rootfs.
 rootfs->storage not set by lxc_storage_prepare when using a shared rootfs.

Fixes: https://github.com/lxc/lxc/issues/4476
Signed-off-by: Steven Galgano <sgalgano@adjacentlink.com>