From 7c485c0367b0c08013bcddb03005bd6663ea3117 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Tue, 25 Jun 2024 14:29:41 -0700
Subject: [PATCH] container: Allow podman containers to run inside the
 container

- Allow all system calls from within the container (in particular the openat2
syscall [1]). This enables running podman containers inside the nspawn
container. Nextcloud can now be tested/developed inside the container.

- List of available system call filter groups can be seen with the command
'systemd-analyze syscall-filter'[2].

Links:

1) https://github.com/containers/podman/issues/7013

2) https://www.freedesktop.org/software/systemd/man/latest/systemd-analyze.html#systemd-analyze%20syscall-filter%20%5BSET...%5D

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 container | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/container b/container
index f1cc8379d..87f722b24 100755
--- a/container
+++ b/container
@@ -785,6 +785,9 @@ def _create_nspawn_machine(image_file, distribution):
     nspawn_options = f'''[Exec]
 Boot=yes
 PrivateUsers=no
+# Allow all system calls to enable podman containers inside the nspawn
+# container.
+SystemCallFilter=@known
 
 [Files]
 Overlay={_get_project_folder()}:{overlay_folder}:/freedombox