flatpak

mirror/flatpak

Fork 0

mirror of https://github.com/flatpak/flatpak.git synced 2026-01-06 14:58:10 -05:00

Commit Graph

Author	SHA1	Message	Date
Alexander Larsson	26ad9154c3	Add flatpak in docker seccomp profile This is a docker seccomp profile that allows you to run flatpak inside a docker container, given some special requirements: * The host kernel must support unprivileged user namespaces (Supported by e.g. fedora and ubuntu kernels) * The seccomp profile must be used (--security-opt seccomp=flatpak-docker-seccomp.json) * flatpak is run as a reguler user, not root, in the container * The full host /proc must be visible in the container (-v=/proc:/host/proc) The last one is a bit weird, but the regular /proc in docker is mounted with some cover-over mounts, and this makes the kernel disallow mounting a new procfs for the pid namespace. Adding in a full copy of the host fs causes this to be allowed. Closes: #2867 Approved by: alexlarsson	2019-04-30 06:20:56 +00:00

Author

SHA1

Message

Date

Alexander Larsson

26ad9154c3

Add flatpak in docker seccomp profile

This is a docker seccomp profile that allows you to run flatpak
inside a docker container, given some special requirements:

 * The host kernel must support unprivileged user namespaces
   (Supported by e.g. fedora and ubuntu kernels)
 * The seccomp profile must be used
   (--security-opt seccomp=flatpak-docker-seccomp.json)
 * flatpak is run as a reguler user, not root, in the container
 * The full host /proc must be visible in the container
   (-v=/proc:/host/proc)

The last one is a bit weird, but the regular /proc in docker
is mounted with some cover-over mounts, and this makes the kernel
disallow mounting a new procfs for the pid namespace. Adding
in a full copy of the host fs causes this to be allowed.

Closes: #2867
Approved by: alexlarsson

2019-04-30 06:20:56 +00:00

1 Commits