|
|
@@ -1,5 +1,11 @@
|
|
|
#!/bin/bash
|
|
|
set -e
|
|
|
+
|
|
|
+# Set the container env-var, so that AppArmor is enabled in the daemon and
|
|
|
+# containerd when running docker-in-docker.
|
|
|
+#
|
|
|
+# see: https://github.com/containerd/containerd/blob/787943dc1027a67f3b52631e084db0d4a6be2ccc/pkg/apparmor/apparmor_linux.go#L29-L45
|
|
|
+# see: https://github.com/moby/moby/commit/de191e86321f7d3136ff42ff75826b8107399497
|
|
|
container=docker
|
|
|
export container
|
|
|
|
|
|
@@ -18,6 +24,38 @@ fi
|
|
|
# running in a container.
|
|
|
mount --make-rshared /
|
|
|
|
|
|
+# Allow AppArmor to work inside the container;
|
|
|
+#
|
|
|
+# aa-status
|
|
|
+# apparmor filesystem is not mounted.
|
|
|
+# apparmor module is loaded.
|
|
|
+#
|
|
|
+# mount -t securityfs none /sys/kernel/security
|
|
|
+#
|
|
|
+# aa-status
|
|
|
+# apparmor module is loaded.
|
|
|
+# 30 profiles are loaded.
|
|
|
+# 30 profiles are in enforce mode.
|
|
|
+# /snap/snapd/18357/usr/lib/snapd/snap-confine
|
|
|
+# ...
|
|
|
+#
|
|
|
+# Note: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts#sys-kernel-security
|
|
|
+#
|
|
|
+# ## /sys/kernel/security
|
|
|
+#
|
|
|
+# In /sys/kernel/security mounted the securityfs interface, which allows
|
|
|
+# configuration of Linux Security Modules. This allows configuration of
|
|
|
+# AppArmor policies, and so access to this may allow a container to disable
|
|
|
+# its MAC system.
|
|
|
+#
|
|
|
+# Given that we're running privileged already, this should not be an issue.
|
|
|
+if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
|
|
|
+ mount -t securityfs none /sys/kernel/security || {
|
|
|
+ echo >&2 'Could not mount /sys/kernel/security.'
|
|
|
+ echo >&2 'AppArmor detection and --privileged mode might break.'
|
|
|
+ }
|
|
|
+fi
|
|
|
+
|
|
|
env > /etc/docker-entrypoint-env
|
|
|
|
|
|
cat > /etc/systemd/system/docker-entrypoint.target << EOF
|
Sebastiaan van Stijn