jeans/supervisor
jeans/supervisor
1
0
Fork 0
mirror of https://github.com/home-assistant/supervisor.git synced 2025-07-15 13:16:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Disable secomp global (#2711)

Browse Source
This commit is contained in:
Pascal Vizeli 2021-03-11 13:23:06 +01:00 committed by GitHub
parent 16095c319a
commit e478e68b70
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
supervisor/docker/addon.py
View File

@ -189,7 +189,7 @@ class DockerAddon(DockerInterface):
@property @property
def security_opt(self) -> List[str]: def security_opt(self) -> List[str]:
"""Control security options.""" """Control security options."""
security = [] security = super().security_opt
# AppArmor # AppArmor
apparmor = self.sys_host.apparmor.available apparmor = self.sys_host.apparmor.available
@ -198,10 +198,6 @@ class DockerAddon(DockerInterface):
elif self.addon.apparmor == SECURITY_PROFILE: elif self.addon.apparmor == SECURITY_PROFILE:
security.append(f"apparmor={self.addon.slug}") security.append(f"apparmor={self.addon.slug}")
# Disable Seccomp / We don't support it official and it
# causes problems on some types of host systems.
security.append("seccomp=unconfined")
return security return security
@property @property

1
supervisor/docker/audio.py
View File

@ -90,6 +90,7 @@ class DockerAudio(DockerInterface, CoreSysAttributes):
hostname=self.name.replace("_", "-"), hostname=self.name.replace("_", "-"),
detach=True, detach=True,
cap_add=self.capabilities, cap_add=self.capabilities,
security_opt=self.security_opt,
ulimits=self.ulimits, ulimits=self.ulimits,
cpu_rt_runtime=self.cpu_rt_runtime, cpu_rt_runtime=self.cpu_rt_runtime,
device_cgroup_rules=self.cgroups_rules, device_cgroup_rules=self.cgroups_rules,

1
supervisor/docker/cli.py
View File

@ -45,6 +45,7 @@ class DockerCli(DockerInterface, CoreSysAttributes):
name=self.name, name=self.name,
hostname=self.name.replace("_", "-"), hostname=self.name.replace("_", "-"),
detach=True, detach=True,
security_opt=self.security_opt,
extra_hosts={ extra_hosts={
"supervisor": self.sys_docker.network.supervisor, "supervisor": self.sys_docker.network.supervisor,
"observer": self.sys_docker.network.observer, "observer": self.sys_docker.network.observer,

1
supervisor/docker/dns.py
View File

@ -44,6 +44,7 @@ class DockerDNS(DockerInterface, CoreSysAttributes):
name=self.name, name=self.name,
hostname=self.name.replace("_", "-"), hostname=self.name.replace("_", "-"),
detach=True, detach=True,
security_opt=self.security_opt,
environment={ENV_TIME: self.sys_config.timezone}, environment={ENV_TIME: self.sys_config.timezone},
volumes={ volumes={
str(self.sys_config.path_extern_dns): {"bind": "/config", "mode": "rw"} str(self.sys_config.path_extern_dns): {"bind": "/config", "mode": "rw"}

1
supervisor/docker/homeassistant.py
View File

@ -130,6 +130,7 @@ class DockerHomeAssistant(DockerInterface):
detach=True, detach=True,
privileged=True, privileged=True,
init=False, init=False,
security_opt=self.security_opt,
network_mode="host", network_mode="host",
volumes=self.volumes, volumes=self.volumes,
device_cgroup_rules=self.cgroups_rules, device_cgroup_rules=self.cgroups_rules,

7
supervisor/docker/interface.py
View File

@ -93,6 +93,13 @@ class DockerInterface(CoreSysAttributes):
"""Return True if a task is in progress.""" """Return True if a task is in progress."""
return self.lock.locked() return self.lock.locked()
@property
def security_opt(self) -> List[str]:
"""Control security options."""
# Disable Seccomp / We don't support it official and it
# causes problems on some types of host systems.
return ["seccomp=unconfined"]
def _get_credentials(self, image: str) -> dict: def _get_credentials(self, image: str) -> dict:
"""Return a dictionay with credentials for docker login.""" """Return a dictionay with credentials for docker login."""
registry = None registry = None

1
supervisor/docker/multicast.py
View File

@ -43,6 +43,7 @@ class DockerMulticast(DockerInterface, CoreSysAttributes):
hostname=self.name.replace("_", "-"), hostname=self.name.replace("_", "-"),
network_mode="host", network_mode="host",
detach=True, detach=True,
security_opt=self.security_opt,
extra_hosts={"supervisor": self.sys_docker.network.supervisor}, extra_hosts={"supervisor": self.sys_docker.network.supervisor},
environment={ENV_TIME: self.sys_config.timezone}, environment={ENV_TIME: self.sys_config.timezone},
) )

1
supervisor/docker/observer.py
View File

@ -44,6 +44,7 @@ class DockerObserver(DockerInterface, CoreSysAttributes):
name=self.name, name=self.name,
hostname=self.name.replace("_", "-"), hostname=self.name.replace("_", "-"),
detach=True, detach=True,
security_opt=self.security_opt,
restart_policy={"Name": "always"}, restart_policy={"Name": "always"},
extra_hosts={"supervisor": self.sys_docker.network.supervisor}, extra_hosts={"supervisor": self.sys_docker.network.supervisor},
environment={ environment={