Disable secomp global (#2711)

This commit is contained in:
Pascal Vizeli 2021-03-11 13:23:06 +01:00 committed by GitHub
parent 16095c319a
commit e478e68b70
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 14 additions and 5 deletions

View File

@ -189,7 +189,7 @@ class DockerAddon(DockerInterface):
@property
def security_opt(self) -> List[str]:
"""Control security options."""
security = []
security = super().security_opt
# AppArmor
apparmor = self.sys_host.apparmor.available
@ -198,10 +198,6 @@ class DockerAddon(DockerInterface):
elif self.addon.apparmor == SECURITY_PROFILE:
security.append(f"apparmor={self.addon.slug}")
# Disable Seccomp / We don't support it official and it
# causes problems on some types of host systems.
security.append("seccomp=unconfined")
return security
@property

View File

@ -90,6 +90,7 @@ class DockerAudio(DockerInterface, CoreSysAttributes):
hostname=self.name.replace("_", "-"),
detach=True,
cap_add=self.capabilities,
security_opt=self.security_opt,
ulimits=self.ulimits,
cpu_rt_runtime=self.cpu_rt_runtime,
device_cgroup_rules=self.cgroups_rules,

View File

@ -45,6 +45,7 @@ class DockerCli(DockerInterface, CoreSysAttributes):
name=self.name,
hostname=self.name.replace("_", "-"),
detach=True,
security_opt=self.security_opt,
extra_hosts={
"supervisor": self.sys_docker.network.supervisor,
"observer": self.sys_docker.network.observer,

View File

@ -44,6 +44,7 @@ class DockerDNS(DockerInterface, CoreSysAttributes):
name=self.name,
hostname=self.name.replace("_", "-"),
detach=True,
security_opt=self.security_opt,
environment={ENV_TIME: self.sys_config.timezone},
volumes={
str(self.sys_config.path_extern_dns): {"bind": "/config", "mode": "rw"}

View File

@ -130,6 +130,7 @@ class DockerHomeAssistant(DockerInterface):
detach=True,
privileged=True,
init=False,
security_opt=self.security_opt,
network_mode="host",
volumes=self.volumes,
device_cgroup_rules=self.cgroups_rules,

View File

@ -93,6 +93,13 @@ class DockerInterface(CoreSysAttributes):
"""Return True if a task is in progress."""
return self.lock.locked()
@property
def security_opt(self) -> List[str]:
"""Control security options."""
# Disable Seccomp / We don't support it official and it
# causes problems on some types of host systems.
return ["seccomp=unconfined"]
def _get_credentials(self, image: str) -> dict:
"""Return a dictionay with credentials for docker login."""
registry = None

View File

@ -43,6 +43,7 @@ class DockerMulticast(DockerInterface, CoreSysAttributes):
hostname=self.name.replace("_", "-"),
network_mode="host",
detach=True,
security_opt=self.security_opt,
extra_hosts={"supervisor": self.sys_docker.network.supervisor},
environment={ENV_TIME: self.sys_config.timezone},
)

View File

@ -44,6 +44,7 @@ class DockerObserver(DockerInterface, CoreSysAttributes):
name=self.name,
hostname=self.name.replace("_", "-"),
detach=True,
security_opt=self.security_opt,
restart_policy={"Name": "always"},
extra_hosts={"supervisor": self.sys_docker.network.supervisor},
environment={