I’ve been investigating how confinement works when you launch a docker workload from a snap that can access the docker snap via the
docker interface , and it very quickly became obvious that the container is launched directly by the docker daemon and there run entirely under the confinement provided by the docker snap, and has no relation to any of the confinement in the snap using the
docker interface. Therefor all containers run under the docker snap confinement.
Someone please correct me if I’m wrong on that point, perhaps I’m missing something, but it seems fairly cut and dry
In that case, and especially as the
docker-support interface seems pretty privileged, we need to implement AppArmor and SecComp profiles in the docker layer to get some comparable security back for the containers themselves. Can I just expect this to work as normal if I define profiles at the docker layer, or is there anything to watch out for here ?
One of the first things that comes to mind is, can we somehow leverage the profiles generated by the snapd for the standard snap Interfaces ? I presume verbatim would be too much to ask for as they contain SNAP env variables etc , but with some light modification they could be used as inspiration at least ?
Any thoughts or experienced input would be very much appreciated.