config/apparmor/profiles/lxc-default-with-nesting | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [nesting] extend mount permissions in apparmor to allow systemd
 services' restrictions to work

These options allow systemd security features to work. In particular
cases, it helps with systemd-logind and program like this

It's only added in nesting profile as it could pose security risks on
privileged containers.

mount options=(rw,rbind) -> /run/systemd/unit-root/,
mount options=(rw,rbind) -> /run/systemd/unit-root/**,
mount options=(rw,rshared) -> /,
mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/,

config/init/systemd/lxc.service.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [lxc.service] starts after remote-fs.target

config/apparmor/abstractions/container-base.in | 1 1 + 0 - 0 !
config/apparmor/abstractions/start-container.in | 1 1 + 0 - 0 !
config/apparmor/usr.bin.lxc-copy | 1 1 + 0 - 0 !
config/apparmor/usr.bin.lxc-start | 1 1 + 0 - 0 !
src/lxc/lsm/apparmor.c | 1 1 + 0 - 0 !
5 files changed, 5 insertions(+)

 update apparmor profile for userns permission and new abi