Skip to content

Commit

Permalink
WIP: Add seccomp/apparmor to docker stack
Browse files Browse the repository at this point in the history
DO NOT MERGE. Also I'll probably forget to redo this commit message even
after this is merge ready but still DO NOT MERGE until I fix it.

Adds seccomp, apparmor, and no-new-privileges flags to docker compose
for docker stack command

Signed-off-by: Drew Erny <[email protected]>
  • Loading branch information
dperny committed Dec 17, 2024
1 parent 2986daf commit c1cec5b
Show file tree
Hide file tree
Showing 6 changed files with 23 additions and 1 deletion.
6 changes: 6 additions & 0 deletions cli/compose/loader/full-example.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ version: "3.13"
services:
foo:

apparmor: disabled

build:
context: ./dir
dockerfile: Dockerfile
Expand Down Expand Up @@ -215,6 +217,8 @@ services:
ipv6_address: 2001:3984:3989::10
other-other-network:

no_new_privileges: true

pid: "host"

ports:
Expand All @@ -232,6 +236,8 @@ services:

restart: always

seccomp: unconfined

secrets:
- secret1
- source: secret2
Expand Down
6 changes: 5 additions & 1 deletion cli/compose/loader/full-struct_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ func services(workingDir, homeDir string) []types.ServiceConfig {
{
Name: "foo",

AppArmor: "disabled",

Build: types.BuildConfig{
Context: "./dir",
Dockerfile: "Dockerfile",
Expand Down Expand Up @@ -201,7 +203,8 @@ func services(workingDir, homeDir string) []types.ServiceConfig {
},
"other-other-network": nil,
},
Pid: "host",
NoNewPrivileges: true,
Pid: "host",
Ports: []types.ServicePortConfig{
// "3000",
{
Expand Down Expand Up @@ -339,6 +342,7 @@ func services(workingDir, homeDir string) []types.ServiceConfig {
Privileged: true,
ReadOnly: true,
Restart: "always",
Seccomp: "unconfined",
Secrets: []types.ServiceSecretConfig{
{
Source: "secret1",
Expand Down
3 changes: 3 additions & 0 deletions cli/compose/loader/testdata/full-example.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@
},
"services": {
"foo": {
"apparmor": "disabled",
"build": {
"context": "./dir",
"dockerfile": "Dockerfile",
Expand Down Expand Up @@ -292,6 +293,7 @@
}
}
},
"no_new_privileges": true,
"pid": "host",
"ports": [
{
Expand Down Expand Up @@ -424,6 +426,7 @@
"privileged": true,
"read_only": true,
"restart": "always",
"seccomp": "unconfined",
"secrets": [
{
"source": "secret1"
Expand Down
3 changes: 3 additions & 0 deletions cli/compose/loader/testdata/full-example.yaml.golden
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
version: "3.13"
services:
foo:
apparmor: disabled
build:
context: ./dir
dockerfile: Dockerfile
Expand Down Expand Up @@ -155,6 +156,7 @@ services:
driver_opts:
driveropt1: optval1
driveropt2: optval2
no_new_privileges: true
pid: host
ports:
- mode: ingress
Expand Down Expand Up @@ -242,6 +244,7 @@ services:
privileged: true
read_only: true
restart: always
seccomp: unconfined
secrets:
- source: secret1
- source: secret2
Expand Down
3 changes: 3 additions & 0 deletions cli/compose/schema/data/config_schema_v3.13.json
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@

"properties": {
"deploy": {"$ref": "#/definitions/deployment"},
"apparmor": {"type": "string"},
"build": {
"oneOf": [
{"type": "string"},
Expand Down Expand Up @@ -216,6 +217,7 @@
}
]
},
"no_new_privileges": {"type": "boolean"},
"pid": {"type": ["string", "null"]},

"ports": {
Expand Down Expand Up @@ -244,6 +246,7 @@
"restart": {"type": "string"},
"security_opt": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
"shm_size": {"type": ["number", "string"]},
"seccomp": {"type": "string"},
"secrets": {
"type": "array",
"items": {
Expand Down
3 changes: 3 additions & 0 deletions cli/compose/types/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@ func (s Services) MarshalJSON() ([]byte, error) {
type ServiceConfig struct {
Name string `yaml:"-" json:"-"`

AppArmor string `yaml:"apparmor,omitempty" json:"apparmor,omitempty"`
Build BuildConfig `yaml:",omitempty" json:"build,omitempty"`
CapAdd []string `mapstructure:"cap_add" yaml:"cap_add,omitempty" json:"cap_add,omitempty"`
CapDrop []string `mapstructure:"cap_drop" yaml:"cap_drop,omitempty" json:"cap_drop,omitempty"`
Expand Down Expand Up @@ -191,11 +192,13 @@ type ServiceConfig struct {
MacAddress string `mapstructure:"mac_address" yaml:"mac_address,omitempty" json:"mac_address,omitempty"`
NetworkMode string `mapstructure:"network_mode" yaml:"network_mode,omitempty" json:"network_mode,omitempty"`
Networks map[string]*ServiceNetworkConfig `yaml:",omitempty" json:"networks,omitempty"`
NoNewPrivileges bool `mapstructure:"no_new_privileges" yaml:"no_new_privileges,omitempty" json:"no_new_privileges,omitempty"`
Pid string `yaml:",omitempty" json:"pid,omitempty"`
Ports []ServicePortConfig `yaml:",omitempty" json:"ports,omitempty"`
Privileged bool `yaml:",omitempty" json:"privileged,omitempty"`
ReadOnly bool `mapstructure:"read_only" yaml:"read_only,omitempty" json:"read_only,omitempty"`
Restart string `yaml:",omitempty" json:"restart,omitempty"`
Seccomp string `yaml:",omitempty" json:"seccomp,omitempty"`
Secrets []ServiceSecretConfig `yaml:",omitempty" json:"secrets,omitempty"`
SecurityOpt []string `mapstructure:"security_opt" yaml:"security_opt,omitempty" json:"security_opt,omitempty"`
ShmSize string `mapstructure:"shm_size" yaml:"shm_size,omitempty" json:"shm_size,omitempty"`
Expand Down

0 comments on commit c1cec5b

Please sign in to comment.