Call me crazy, but I say yes. Away with AppArmor. Away with unnecessary security bullshit that is allready bloaded around the world. The Proxmox team must absolutely avoid increasing complexity!
Yes and making systems harder to secure by removing already enabled options for reaching that security would actually increase the complexity for users in a enterprise environment (which are the paying customers).
But let's take that argument a little bit farer: The firewall function and SDN adds further additional complexity, so away with it! Most of the switchers from VMWare don't run containers (since Vmware doesn't have them) so ProxmoxVE can finally get rid of it (just adds complexity right?).
If you really don't want that kind of complexity you are propably better of with a Linux VM (so you don't need to mess around with lxcs restrictions) or even bare metal Linux/BSD server (Virtualization is extra complexity too, a VM is more isolated than a container, so even more of the security you seem to hate). On the other hand: If you hate security you shouldn't run a server (in your home or elsewhere), the world is already full enough with enablers of ransomware and hacking attacks because they "don't care for security".
Thankfully not only the Proxmox team thinks different, but the lxc developers too (according to
https://pve.proxmox.com/wiki/Linux_Container ):
Unprivileged Containers
Unprivileged containers use a new kernel feature called user namespaces. The root UID 0 inside the container is mapped to an unprivileged user outside the container. This means that most security issues (container escape, resource abuse, etc.) in these containers will affect a random unprivileged user, and would be a generic kernel security bug rather than an LXC issue. The LXC team thinks unprivileged containers are safe by design.
This is the default option when creating a new container.
| If the container uses systemd as an init system, please be aware the systemd version running inside the container should be equal to or greater than 220. |
Privileged Containers
Security in containers is achieved by using mandatory access control AppArmor restrictions, seccomp filters and Linux kernel namespaces. The LXC team considers this kind of container as unsafe, and they will not consider new container escape exploits to be security issues worthy of a CVE and quick fix. That’s why privileged containers should only be used in trusted environments.
Now configuring AppArmor profiles isn't novice friendly, but it's still a lot simpler than selinux and you don't even need to do it to run LXC containers.
So the real question (apart from how one can be so irresponsible and expect other people to enable such behaviour): What actual problem are you trying to solve which couldn't be solved in a different way? I can understand it, if people run in a problem and using the "Yolo, I just will allow everything"-Approach to get around it. I even think that it's useful to test whether it will work at all. But in the end the solution woudln't be to choose the less secure (although easiest) route but to fix the problem by giving the container/vm/application exactly the needed permissions and nothing more.
But "Yolo, Security sucks anyway and I don't care about my data or the impact on other people" shouldn't be encouraged.
