systemd 227

# systemd-nspawn --private-users=10000:65536
[pid   390] mount(NULL, "/proc/sys", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
[pid   390] mkdir("/sys/full", 0755)    = 0
[pid   390] mount("sysfs", "/sys/full", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL <unfinished ...>
[pid   388] clock_gettime(CLOCK_MONOTONIC,  <unfinished ...>
[pid   390] <... mount resumed> )       = -1 EPERM (Operation not permitted)

But it works fine if I add --private-net

# systemd-nspawn --private-users=10000:65536 --private-net

I suspect the difference with --private-net comes from the following test in the kernel:

linux/fs/sysfs/mount.c#L33

    if (!(flags & MS_KERNMOUNT)) {
        if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET))
            return ERR_PTR(-EPERM);
    }

I am not sure why this issue was not seen before systemd-v227. It is probably because of the new way /sys is mounted in nspawn containers: d8fc6a0

Tested on Linux v4.1 and Linux 4.3.0-rc4+. There was a fair amount of changes in the Linux kernel about sysfs and procfs mounts due to options nosuid,nodev,noexec. So I don't know if it is reproducible on all Linux versions or only the ones I tested.