Bug#1121206: marked as done (trixie-pu: package incus/6.0.4-2+deb13u3)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1121206: marked as done (trixie-pu: package incus/6.0.4-2+deb13u3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 10 Jan 2026 11:56:05 +0000
Message-id: <[🔎] handler.1121206.D1121206.17680459583459028.ackdone@bugs.debian.org>
Reply-to: 1121206@bugs.debian.org
References: <E1veXWE-00000004Rez-1oVF@coccia.debian.org> <4e82a08d5938bac36ed18bc7dcd0c1e4af20d652.camel@debian.org>

Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <E1veXWE-00000004Rez-1oVF@coccia.debian.org>
and subject line Released with 13.3
has caused the Debian Bug report #1121206,
regarding trixie-pu: package incus/6.0.4-2+deb13u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1121206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121206
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: trixie-pu: package incus/6.0.4-2+deb13u3
From: Mathias Gibbens <gibmat@debian.org>
Date: Sat, 22 Nov 2025 16:13:09 +0000
Message-id: <4e82a08d5938bac36ed18bc7dcd0c1e4af20d652.camel@debian.org>

Package: release.debian.org
Severity: normal
Tags: trixie
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gibmat@debian.org
Control: affects -1 + src:incus

[ Reason ]
runc's recent fix for CVE-2025-52881 has exposed a problem with
apparmor profiles for nested containers
(https://github.com/opencontainers/runc/issues/4968). This requires an
update to Incus' logic for generating a container's apparmor profile.

[ Impact ]
Users cannot run docker within an Incus container.

[ Tests ]
I have manually tested running docker within a container and verified
that `docker run hello-world` works once again with the fix.

[ Risks ]
Minor/none -- the fix has been in upstream Incus packages for two weeks
and no regressions have been reported.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Rebase fix from upstream: https://github.com/lxc/incus/pull/2624.

[ Other info ]
The source debdiff is attached.

diff -Nru incus-6.0.4/debian/changelog incus-6.0.4/debian/changelog
--- incus-6.0.4/debian/changelog	2025-11-10 13:32:56.000000000 +0000
+++ incus-6.0.4/debian/changelog	2025-11-22 15:21:53.000000000 +0000
@@ -1,3 +1,9 @@
+incus (6.0.4-2+deb13u3) trixie; urgency=medium
+
+  * Backport fix for running nested docker in containers (Closes: #1121011)
+
+ -- Mathias Gibbens <gibmat@debian.org>  Sat, 22 Nov 2025 15:21:53 +0000
+
 incus (6.0.4-2+deb13u2) trixie-security; urgency=high
 
   * Backport upstream fix for GHSA-56mx-8g9f-5crf
diff -Nru incus-6.0.4/debian/patches/008-cherry-pick-fix-nested-docker.patch incus-6.0.4/debian/patches/008-cherry-pick-fix-nested-docker.patch
--- incus-6.0.4/debian/patches/008-cherry-pick-fix-nested-docker.patch	1970-01-01 00:00:00.000000000 +0000
+++ incus-6.0.4/debian/patches/008-cherry-pick-fix-nested-docker.patch	2025-11-22 15:21:53.000000000 +0000
@@ -0,0 +1,72 @@
+From 1fbe4bffb9748cc3b07aaf5db310d463c1e827d0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Wed, 5 Nov 2025 20:24:47 -0500
+Subject: [PATCH] incusd/apparmor/lxc: Don't bother with sys/proc protections
+ when nesting enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When nesting is enabled, it's possible for the container to get a clean
+copy of /proc or /sys mounted anywhere without AppArmor being able to
+mediate. So there's little point in trying to apply safety checks on top
+of the main /proc and /sys.
+
+On top of that, we've recently discovered that AppArmor doesn't properly
+handle file access relative to a file descriptor, causing a bunch of
+those checks to deny access when they shouldn't.
+
+Closes #2623
+
+Signed-off-by: StÃ©phane Graber <stgraber@stgraber.org>
+Rebased-by: Mathias Gibbens <gibmat@debian.org>
+---
+ internal/server/apparmor/instance_lxc.profile.go | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/internal/server/apparmor/instance_lxc.profile.go b/internal/server/apparmor/instance_lxc.profile.go
+index 5c46e8af0..417eb6f97 100644
+--- a/internal/server/apparmor/instance_lxc.profile.go
++++ b/internal/server/apparmor/instance_lxc.profile.go
+@@ -329,6 +329,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
+   mount options=(rw,move) /sy[^s]*{,/**},
+   mount options=(rw,move) /sys?*{,/**},
+ 
++{{- if not .nesting }}
+   # Block dangerous paths under /proc/sys
+   deny /proc/sys/[^fkn]*{,/**} wklx,
+   deny /proc/sys/f[^s]*{,/**} wklx,
+@@ -424,6 +425,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
+   deny /sys/fs/cgrou[^p]*{,/**} wklx,
+   deny /sys/fs/cgroup?*{,/**} wklx,
+   deny /sys/fs?*{,/**} wklx,
++{{- end }}
+ 
+ {{- if .feature_unix }}
+ 
+@@ -446,6 +448,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
+ 
+ {{- if .feature_stacking }}
+ 
++{{- if not .nesting }}
+   ### Feature: apparmor stacking
+   deny /sys/k[^e]*{,/**} wklx,
+   deny /sys/ke[^r]*{,/**} wklx,
+@@ -471,14 +474,17 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
+   deny /sys/kernel/security/apparmor?*{,/**} wklx,
+   deny /sys/kernel/security?*{,/**} wklx,
+   deny /sys/kernel?*{,/**} wklx,
++{{- end }}
+ 
+   change_profile -> ":{{ .namespace }}:*",
+   change_profile -> ":{{ .namespace }}://*",
+ {{- else }}
+ 
+   ### Feature: apparmor stacking (not present)
++{{- if not .nesting }}
+   deny /sys/k*{,/**} wklx,
+ {{- end }}
++{{- end }}
+ 
+ {{- if .nesting }}
+ 
diff -Nru incus-6.0.4/debian/patches/series incus-6.0.4/debian/patches/series
--- incus-6.0.4/debian/patches/series	2025-11-10 13:32:56.000000000 +0000
+++ incus-6.0.4/debian/patches/series	2025-11-22 15:21:53.000000000 +0000
@@ -5,6 +5,7 @@
 005-cherry-pick-qemu-socket-cleanup.patch
 006-cherry-pick-agent-mount-retry.patch
 007-cherry-pick-usb-hotplug-fix.patch
+008-cherry-pick-fix-nested-docker.patch
 100-CVE-2025-54293.patch
 101-CVE-2025-54287.patch
 102-CVE-2025-54288.patch

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

To: 1121206-done@bugs.debian.org

Subject: Released with 13.3

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 10 Jan 2026 11:52:34 +0000

Message-id: <E1veXWE-00000004Rez-1oVF@coccia.debian.org>
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as part of Debian 13.3.
--- End Message ---

Reply to:

Prev by Date: Bug#1120962: marked as done (trixie-pu: package exfatprogs/1.2.9-1+deb13u1)
Next by Date: Bug#1121040: marked as done (trixie-pu: package at-spi2-core/2.56.2-1+deb13u1)
Previous by thread: Bug#1120962: marked as done (trixie-pu: package exfatprogs/1.2.9-1+deb13u1)
Next by thread: Bug#1121040: marked as done (trixie-pu: package at-spi2-core/2.56.2-1+deb13u1)
Index(es):
- Date
- Thread