From b10de33458bcac61ef57942eef19afae89d8e5f7 Mon Sep 17 00:00:00 2001 From: Drew Erny Date: Tue, 17 Dec 2024 07:22:11 -0600 Subject: [PATCH] WIP: Add seccomp/apparmor to docker stack DO NOT MERGE. Also I'll probably forget to redo this commit message even after this is merge ready but still DO NOT MERGE until I fix it. Adds seccomp, apparmor, and no-new-privileges flags to docker compose for docker stack command Signed-off-by: Drew Erny --- cli/compose/loader/full-example.yml | 6 ++++++ cli/compose/loader/full-struct_test.go | 6 +++++- cli/compose/loader/testdata/full-example.json.golden | 3 +++ cli/compose/loader/testdata/full-example.yaml.golden | 3 +++ cli/compose/schema/data/config_schema_v3.13.json | 3 +++ cli/compose/types/types.go | 3 +++ 6 files changed, 23 insertions(+), 1 deletion(-) diff --git a/cli/compose/loader/full-example.yml b/cli/compose/loader/full-example.yml index 36ebf833e708..fda2a1c327cf 100644 --- a/cli/compose/loader/full-example.yml +++ b/cli/compose/loader/full-example.yml @@ -3,6 +3,8 @@ version: "3.13" services: foo: + apparmor: disabled + build: context: ./dir dockerfile: Dockerfile @@ -215,6 +217,8 @@ services: ipv6_address: 2001:3984:3989::10 other-other-network: + no_new_privileges: true + pid: "host" ports: @@ -232,6 +236,8 @@ services: restart: always + seccomp: unconfined + secrets: - secret1 - source: secret2 diff --git a/cli/compose/loader/full-struct_test.go b/cli/compose/loader/full-struct_test.go index 2aa512d09726..edea94f99852 100644 --- a/cli/compose/loader/full-struct_test.go +++ b/cli/compose/loader/full-struct_test.go @@ -33,6 +33,8 @@ func services(workingDir, homeDir string) []types.ServiceConfig { { Name: "foo", + AppArmor: "disabled", + Build: types.BuildConfig{ Context: "./dir", Dockerfile: "Dockerfile", @@ -201,7 +203,8 @@ func services(workingDir, homeDir string) []types.ServiceConfig { }, "other-other-network": nil, }, - Pid: "host", + NoNewPrivileges: true, + Pid: "host", Ports: []types.ServicePortConfig{ // "3000", { @@ -339,6 +342,7 @@ func services(workingDir, homeDir string) []types.ServiceConfig { Privileged: true, ReadOnly: true, Restart: "always", + Seccomp: "unconfined", Secrets: []types.ServiceSecretConfig{ { Source: "secret1", diff --git a/cli/compose/loader/testdata/full-example.json.golden b/cli/compose/loader/testdata/full-example.json.golden index c0ef39dabe37..b82c2beb4269 100644 --- a/cli/compose/loader/testdata/full-example.json.golden +++ b/cli/compose/loader/testdata/full-example.json.golden @@ -83,6 +83,7 @@ }, "services": { "foo": { + "apparmor": "disabled", "build": { "context": "./dir", "dockerfile": "Dockerfile", @@ -292,6 +293,7 @@ } } }, + "no_new_privileges": true, "pid": "host", "ports": [ { @@ -424,6 +426,7 @@ "privileged": true, "read_only": true, "restart": "always", + "seccomp": "unconfined", "secrets": [ { "source": "secret1" diff --git a/cli/compose/loader/testdata/full-example.yaml.golden b/cli/compose/loader/testdata/full-example.yaml.golden index ec925790adce..2c061427fb39 100644 --- a/cli/compose/loader/testdata/full-example.yaml.golden +++ b/cli/compose/loader/testdata/full-example.yaml.golden @@ -1,6 +1,7 @@ version: "3.13" services: foo: + apparmor: disabled build: context: ./dir dockerfile: Dockerfile @@ -155,6 +156,7 @@ services: driver_opts: driveropt1: optval1 driveropt2: optval2 + no_new_privileges: true pid: host ports: - mode: ingress @@ -242,6 +244,7 @@ services: privileged: true read_only: true restart: always + seccomp: unconfined secrets: - source: secret1 - source: secret2 diff --git a/cli/compose/schema/data/config_schema_v3.13.json b/cli/compose/schema/data/config_schema_v3.13.json index 8daa8892d625..39bd1116bae4 100644 --- a/cli/compose/schema/data/config_schema_v3.13.json +++ b/cli/compose/schema/data/config_schema_v3.13.json @@ -75,6 +75,7 @@ "properties": { "deploy": {"$ref": "#/definitions/deployment"}, + "apparmor": {"type": "string"}, "build": { "oneOf": [ {"type": "string"}, @@ -216,6 +217,7 @@ } ] }, + "no_new_privileges": {"type": "boolean"}, "pid": {"type": ["string", "null"]}, "ports": { @@ -244,6 +246,7 @@ "restart": {"type": "string"}, "security_opt": {"type": "array", "items": {"type": "string"}, "uniqueItems": true}, "shm_size": {"type": ["number", "string"]}, + "seccomp": {"type": "string"}, "secrets": { "type": "array", "items": { diff --git a/cli/compose/types/types.go b/cli/compose/types/types.go index 55b80365feca..a4e4699c6860 100644 --- a/cli/compose/types/types.go +++ b/cli/compose/types/types.go @@ -158,6 +158,7 @@ func (s Services) MarshalJSON() ([]byte, error) { type ServiceConfig struct { Name string `yaml:"-" json:"-"` + AppArmor string `yaml:"apparmor,omitempty" json:"apparmor,omitempty"` Build BuildConfig `yaml:",omitempty" json:"build,omitempty"` CapAdd []string `mapstructure:"cap_add" yaml:"cap_add,omitempty" json:"cap_add,omitempty"` CapDrop []string `mapstructure:"cap_drop" yaml:"cap_drop,omitempty" json:"cap_drop,omitempty"` @@ -191,11 +192,13 @@ type ServiceConfig struct { MacAddress string `mapstructure:"mac_address" yaml:"mac_address,omitempty" json:"mac_address,omitempty"` NetworkMode string `mapstructure:"network_mode" yaml:"network_mode,omitempty" json:"network_mode,omitempty"` Networks map[string]*ServiceNetworkConfig `yaml:",omitempty" json:"networks,omitempty"` + NoNewPrivileges bool `mapstructure:"no_new_privileges" yaml:"no_new_privileges,omitempty" json:"no_new_privileges,omitempty"` Pid string `yaml:",omitempty" json:"pid,omitempty"` Ports []ServicePortConfig `yaml:",omitempty" json:"ports,omitempty"` Privileged bool `yaml:",omitempty" json:"privileged,omitempty"` ReadOnly bool `mapstructure:"read_only" yaml:"read_only,omitempty" json:"read_only,omitempty"` Restart string `yaml:",omitempty" json:"restart,omitempty"` + Seccomp string `yaml:",omitempty" json:"seccomp,omitempty"` Secrets []ServiceSecretConfig `yaml:",omitempty" json:"secrets,omitempty"` SecurityOpt []string `mapstructure:"security_opt" yaml:"security_opt,omitempty" json:"security_opt,omitempty"` ShmSize string `mapstructure:"shm_size" yaml:"shm_size,omitempty" json:"shm_size,omitempty"`