Docker support interface


i have different pressing questions regarding the docker-support interface.

  1. Why is there a plug privileged defined in snapcraft.yaml (see below) and what is its purpose ?

  2. There is a further plug “support” with the same interface “docker-support”. Why could this plug not be used for the attribute privileged-containers:true/false?

  3. Does the privileged plug have any impact on the security of the snap host system?

  4. Why can the docker containers could not be started any more (entry point: permission denied) if the plug privileged plug is removed?

  5. What does the description in the docker support interface file mean? (see screenshot) Does this mean there is a possibility that one might break out of the snap sandbox? What dose “device ownership” mean in this context. (source (row 618))

From original docker snap sources:

    read: all
    interface: docker-support
    interface: docker-support
    privileged-containers: true
    interface: docker

    command: dockerd-wrapper
    daemon: simple
      - firewall-control
      - home
      - network-bind
      - network-control
      - privileged
      - support
      - docker-daemon

Thank you for your support.

Kind regards

if you put three backticks ``` above and below your pasted yaml it stays readable and does not lose all formatting :wink: (the indendation is pretty essential) …

1 Like
  1. It allows the docker daemon to create privileged containers
  2. the non-privileged docker-support plug called support is to allow the docker daemon to start containers
  3. yes, it allows privileged containers
  4. many reasons. e.g. is the container correctly built and does it work on another docker host that isn’t confined?
  5. yes. the docker-support interface is very broad and allows any snap using it to effectively “own” the device - i.e. it can do anything - this is why it is restricted to vetted snaps/publishers