From 1ab5e40fc75e293b87f645fc2de08e0a0fe3d50f Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Fri, 29 May 2026 11:18:13 +0100
Subject: fix(hardened): restore podman compatibility on linux-hardened
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two breakages observed on first linux-hardened boot:

1. `podman run` failed because linux-hardened sets
   kernel.unprivileged_userns_clone=0 by default (stock linux: 1).
   Rootless podman requires unprivileged user namespaces. Restoring
   the stock-kernel default via sysctl — this is a documented hardened
   knob meant to be flipped back if you actually use rootless
   containers. No-op on stock kernel.

2. "kernel does not support overlay fs: 'overlay' is not supported over
   btrfs". Kernel overlayfs cannot use a btrfs subvolume as lowerdir;
   podman needs fuse-overlayfs as the user-mode shim. ~10-30% slower
   I/O than native overlay but works correctly and is the upstream
   recommendation for btrfs-backed rootless storage.
---
 etc/sysctl.d/99-sysctl.conf | 4 ++++
 meta/base.txt               | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf
index 3a43da9..d20197e 100644
--- a/etc/sysctl.d/99-sysctl.conf
+++ b/etc/sysctl.d/99-sysctl.conf
@@ -3,12 +3,16 @@
 #   kernel.dmesg_restrict=0 — read dmesg as user during driver/kernel debug.
 #   kernel.perf_event_paranoid=-1 — `perf record` on own user-space binaries
 #     without sudo. Kernel-space tracepoints still need root.
+#   kernel.unprivileged_userns_clone=1 — required by rootless podman.
+#     linux-hardened defaults this to 0; stock linux defaults it to 1.
+#     Restoring the stock default here. No-op on stock kernel.
 # kernel.yama.ptrace_scope is left at the kernel default (1, parent-only),
 # which keeps `gdb ./a.out`, `lldb -- ./bin`, `rust-gdb target/...` working;
 # attach-by-PID (`gdb -p`) requires sudo.
 kernel.sysrq = 1
 kernel.dmesg_restrict = 0
 kernel.perf_event_paranoid = -1
+kernel.unprivileged_userns_clone = 1
 net.core.netdev_max_backlog = 16384
 net.core.somaxconn = 8192
 net.ipv4.tcp_fastopen = 3
diff --git a/meta/base.txt b/meta/base.txt
index 1f7cdd8..1cb96dc 100644
--- a/meta/base.txt
+++ b/meta/base.txt
@@ -75,6 +75,10 @@ nix
 perf             # links against running kernel ABI; must match kernel pkg
 podman-compose
 podman-docker
+fuse-overlayfs   # podman rootless storage driver on btrfs (kernel overlayfs
+                 # doesn't support btrfs as a lower dir; podman falls back to
+                 # vfs which is unusable). ~10-30% slower than native overlay
+                 # but unavoidable as long as ~/.local/share/containers is on btrfs.
 
 # --- sound ---
 alsa-utils
-- 
cgit v1.3.1