container features deployment limited to root

[alexskysilk]

I have recently began deployment of nested containers following an orderly upgrade to 5.3, when I noticed that only a root user may actually flag the features. What is the rationale for this limitation? What are the implications of setting these flags I'm not considering?

 

[dietmar]

What is the rationale for this limitation?

Security. A normal container should not have permissions to do all those things, as this can severely damage the host system (if a bad/untrusted user inside the container tries to hack you).

 

[alexskysilk]

Thanks @dietmar , I had a gut feeling that this isnt benign just because we are not opening up the apparmor profile. Can you expand a bit more about the relationship of the nested flag and what apparmor is allowing/preventing when it is?