Hi,
Can someone with solid experience in AppArmor + PVE confirm if this is the correct way to enable AppArmor inside an unprivileged LXC? The goal is to add specific profiles within the LXC to enhance security.
Here's the line I'm considering for
As far as I know, AppArmor supports namespaces, so I should be able to add a "layer" over the LXC's own profile without altering the base security profiles. However, I want to be sure.
Thanks a lot.
edit: I did ask o1-preview and Sonnet 3.5, they don't seem reliable on that subject, even dangerous.
edit2: this doesn't work as AppArmor seem to require more permissions.
Can someone with solid experience in AppArmor + PVE confirm if this is the correct way to enable AppArmor inside an unprivileged LXC? The goal is to add specific profiles within the LXC to enhance security.
Here's the line I'm considering for
/etc/pve/lxc/XXX.conflxc.mount.entry: /sys/kernel/security sys/kernel/security none bind,ro,0 0As far as I know, AppArmor supports namespaces, so I should be able to add a "layer" over the LXC's own profile without altering the base security profiles. However, I want to be sure.
Thanks a lot.
edit: I did ask o1-preview and Sonnet 3.5, they don't seem reliable on that subject, even dangerous.
edit2: this doesn't work as AppArmor seem to require more permissions.
Last edited: