snap does not allow docker run --security-opt=no-new-privileges:true
Bug #1908448 reported by
samc014111
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned | ||
snapd |
Triaged
|
Low
|
Unassigned |
Bug Description
If docker is installed via snap then running
$ docker run -it --security-
where <IMAGE> is an image fails with the following error:
standard_
This error does not occur if docker is installed via apt.
In the logs i see
$ dmesg | grep audit
[28071.584927] audit: type=1400 audit(160814935
Unfortunately I believe that this is an inherent constraint we have with AppArmor, where during the process of dockerd executing the container, AppArmor doesn't allow you to set no-new-privileges (or NNP) for the new process because it's difficult for AppArmor to know specifically which sets of privilege transitions should be allowed with the specific policy that is in place at any given time for the dockerd service, and thus AppArmor just entirely denies NNP transitions (or something like this).
I've asked someone from our security team who is more knowledgeable about AppArmor to comment and perhaps provide a more refined explanation of the issue. AFAIK this is not something that we can support for snaps until AppArmor itself supports it.