[lxc-users] Question about lxc-container-default-with-nesting profile

[Serge Hallyn]

Quoting Hirokuni Kim (kim at circleci.com):
> Hi,
> 
> I have a question about the security implication about one line in
> lxc-container-default-with-nesting profile.
> 
> There is a line  `mount fstype=proc -> /var/cache/lxc/**,` in the profile
> and in my understanding, the line allows LXC container to mount the /proc
> of host machine. If this is correct, why is this ok to allow?

It's not safe, but it's required for nesting.  This is why it's not
the default policy.