Skip to content

Commit

Permalink
Add flatpak in docker seccomp profile
Browse files Browse the repository at this point in the history
This is a docker seccomp profile that allows you to run flatpak
inside a docker container, given some special requirements:

 * The host kernel must support unprivileged user namespaces
   (Supported by e.g. fedora and ubuntu kernels)
 * The seccomp profile must be used
   (--security-opt seccomp=flatpak-docker-seccomp.json)
 * flatpak is run as a reguler user, not root, in the container
 * The full host /proc must be visible in the container
   (-v=/proc:/host/proc)

The last one is a bit weird, but the regular /proc in docker
is mounted with some cover-over mounts, and this makes the kernel
disallow mounting a new procfs for the pid namespace. Adding
in a full copy of the host fs causes this to be allowed.

Closes: #2867
Approved by: alexlarsson
  • Loading branch information
alexlarsson authored and rh-atomic-bot committed Apr 30, 2019
1 parent 5020790 commit 26ad915
Show file tree
Hide file tree
Showing 2 changed files with 810 additions and 0 deletions.
1 change: 1 addition & 0 deletions data/Makefile.am.inc
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,5 @@ EXTRA_DIST += \
data/org.freedesktop.systemd1.xml \
data/org.freedesktop.Flatpak.xml \
data/org.freedesktop.portal.Flatpak.xml \
data/flatpak-docker-seccomp.json \
$(NULL)
Loading

0 comments on commit 26ad915

Please sign in to comment.