I’m in the process of bringing up Docker support on Ubuntu Touch, for developers with convergent devices wanting to develop off a monitor-capable phone or tablet.
On the JingPad with kernel 4.14 this required very few changes to snapd, basically just enabling this bit in docker_support.go which is due to Touch and Core 18 sharing the same writable-path mechanism: snapd/interfaces/builtin/docker_support.go at master · canonical/snapd · GitHub
This allows for a confined Docker to run our Clickable docker container to build Ubuntu Touch apps!
On the Fairphone 4 and 5 with kernels 4.19 and 5.4 respectively the situation is a little rougher. After allowing some new bits for runc the current blocker is that both kernels won’t allow the container’s /usr/bin/debconf-communicate to open. Inspected with docker run -it clickable/arm64-ut24.04-1.x-arm64 /bin/bash:
root@96cad27b2baf:/# debconf-communicate
Can't open perl script "/usr/bin/debconf-communicate": Permission denied
<fast-forward to dmesg>
[ 1063.094029] audit: type=1400 audit(1762467329.101:869): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/usr/bin/debconf-communicate" pid=10548 comm="debconf-communi" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Note it seems to resolve the path to the host’s view of the filesystem, not the container’s.
The AppArmor implementations of all three kernels are based on Android vendor kernel state with their respective upstream patches from AppArmor GitLab applied on top, including AF_UNIX mediation.
Any hints on how to debug this?