diff --git a/supervisor/docker/addon.py b/supervisor/docker/addon.py index bae599cc4..62ca87554 100644 --- a/supervisor/docker/addon.py +++ b/supervisor/docker/addon.py @@ -189,7 +189,7 @@ class DockerAddon(DockerInterface): @property def security_opt(self) -> List[str]: """Control security options.""" - security = [] + security = super().security_opt # AppArmor apparmor = self.sys_host.apparmor.available @@ -198,10 +198,6 @@ class DockerAddon(DockerInterface): elif self.addon.apparmor == SECURITY_PROFILE: security.append(f"apparmor={self.addon.slug}") - # Disable Seccomp / We don't support it official and it - # causes problems on some types of host systems. - security.append("seccomp=unconfined") - return security @property diff --git a/supervisor/docker/audio.py b/supervisor/docker/audio.py index 14388eeb2..1327b76a9 100644 --- a/supervisor/docker/audio.py +++ b/supervisor/docker/audio.py @@ -90,6 +90,7 @@ class DockerAudio(DockerInterface, CoreSysAttributes): hostname=self.name.replace("_", "-"), detach=True, cap_add=self.capabilities, + security_opt=self.security_opt, ulimits=self.ulimits, cpu_rt_runtime=self.cpu_rt_runtime, device_cgroup_rules=self.cgroups_rules, diff --git a/supervisor/docker/cli.py b/supervisor/docker/cli.py index 47f71a8f0..19e25ceaf 100644 --- a/supervisor/docker/cli.py +++ b/supervisor/docker/cli.py @@ -45,6 +45,7 @@ class DockerCli(DockerInterface, CoreSysAttributes): name=self.name, hostname=self.name.replace("_", "-"), detach=True, + security_opt=self.security_opt, extra_hosts={ "supervisor": self.sys_docker.network.supervisor, "observer": self.sys_docker.network.observer, diff --git a/supervisor/docker/dns.py b/supervisor/docker/dns.py index 17bf1db3d..44f898f75 100644 --- a/supervisor/docker/dns.py +++ b/supervisor/docker/dns.py @@ -44,6 +44,7 @@ class DockerDNS(DockerInterface, CoreSysAttributes): name=self.name, hostname=self.name.replace("_", "-"), detach=True, + security_opt=self.security_opt, environment={ENV_TIME: self.sys_config.timezone}, volumes={ str(self.sys_config.path_extern_dns): {"bind": "/config", "mode": "rw"} diff --git a/supervisor/docker/homeassistant.py b/supervisor/docker/homeassistant.py index e95a0d4e8..598864d67 100644 --- a/supervisor/docker/homeassistant.py +++ b/supervisor/docker/homeassistant.py @@ -130,6 +130,7 @@ class DockerHomeAssistant(DockerInterface): detach=True, privileged=True, init=False, + security_opt=self.security_opt, network_mode="host", volumes=self.volumes, device_cgroup_rules=self.cgroups_rules, diff --git a/supervisor/docker/interface.py b/supervisor/docker/interface.py index 75690155f..619b65156 100644 --- a/supervisor/docker/interface.py +++ b/supervisor/docker/interface.py @@ -93,6 +93,13 @@ class DockerInterface(CoreSysAttributes): """Return True if a task is in progress.""" return self.lock.locked() + @property + def security_opt(self) -> List[str]: + """Control security options.""" + # Disable Seccomp / We don't support it official and it + # causes problems on some types of host systems. + return ["seccomp=unconfined"] + def _get_credentials(self, image: str) -> dict: """Return a dictionay with credentials for docker login.""" registry = None diff --git a/supervisor/docker/multicast.py b/supervisor/docker/multicast.py index 425b6c9d4..2c9870f9c 100644 --- a/supervisor/docker/multicast.py +++ b/supervisor/docker/multicast.py @@ -43,6 +43,7 @@ class DockerMulticast(DockerInterface, CoreSysAttributes): hostname=self.name.replace("_", "-"), network_mode="host", detach=True, + security_opt=self.security_opt, extra_hosts={"supervisor": self.sys_docker.network.supervisor}, environment={ENV_TIME: self.sys_config.timezone}, ) diff --git a/supervisor/docker/observer.py b/supervisor/docker/observer.py index 72aeda259..405ce7728 100644 --- a/supervisor/docker/observer.py +++ b/supervisor/docker/observer.py @@ -44,6 +44,7 @@ class DockerObserver(DockerInterface, CoreSysAttributes): name=self.name, hostname=self.name.replace("_", "-"), detach=True, + security_opt=self.security_opt, restart_policy={"Name": "always"}, extra_hosts={"supervisor": self.sys_docker.network.supervisor}, environment={