From f965547b6ce0dd1fed36acb31aa365a9e5dcbfd1 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 7 Nov 2025 19:54:07 +0000
Subject: [PATCH] fix: Add nested container support to workspace.nspawn

- Add Capability=all for full capabilities
- Add SystemCallFilter=@keyring bpf for required syscalls
- Set PrivateUsers=no to avoid user namespace issues
- Set SuppressSync=false for Docker compatibility
- Fixes audit errors in nested systemd-nspawn containers
---
 cfg/setup-user.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cfg/setup-user.sh b/cfg/setup-user.sh
index bf386f2..c298876 100755
--- a/cfg/setup-user.sh
+++ b/cfg/setup-user.sh
@@ -37,9 +37,13 @@ cat > $ROOTFS/etc/systemd/nspawn/workspace.nspawn <<'EOF'
 [Exec]
 Boot=yes
 ResolvConf=copy-host
+Capability=all
+SystemCallFilter=@keyring bpf
+PrivateUsers=no
 
 [Files]
 Bind=/home/ai:/root
+SuppressSync=false
 
 [Network]
 VirtualEthernet=no