docker snap does not support custom apparmor profiles per container
Bug #1882894 reported by
Alfonso Sanchez-Beato
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| snapd (Ubuntu) |
Incomplete
|
Undecided
|
Jamie Strandboge | ||
Bug Description
docker supports loading custom apparmor profiles that can be different for each container [1] by using the option "--security-opt apparmor=
However, this does not work with the docker snap because the docker snapd interface only allows sending signals to a profile named "docker-default" (the default profile for docker containers), so if the name of the profile is different, you cannot stop the container using the docker cli. You get denials when trying to send the kill signal to the container.
Allowing the docker snap to handle custom apparmor profiles for the containers would allow further confinement of the payloads.
| Changed in snapd (Ubuntu): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #1 |
| Changed in snapd (Ubuntu): | |
| status: | New → Incomplete |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #2 |
| no longer affects: | docker (Ubuntu) |
Revision history for this message
| Ian Johnson (anonymouse67) wrote | #3 |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #4 |
To post a comment you must log in.
The docker snap should be updated to plugs 'process-control'. I'd prefer not to change the docker-support interface for this when process-control already handles it.