Merge pull request #2432 from nextcloud/enh/noid/apparmor-unconfined

add apparmor_unconinfed to containers definition
2025-12-20 06:26:57 +00:00 · 2023-05-01 14:46:55 +02:00 · 2023-05-01 14:46:55 +02:00 · 77dee8caec
commit 77dee8caec
parent f861c66ade eeeeb2f37b
5 changed files with 22 additions and 3 deletions
--- a/php/containers-schema.json
+++ b/php/containers-schema.json
@ -105,6 +105,9 @@
 							"pattern": "^/dev/[a-z]+$"
 						}
 					},
+					"apparmor_unconfined": {
+						"type": "boolean"
+					},
 					"volumes": {
 						"type": "array",
 						"items": {
--- a/php/containers.json
+++ b/php/containers.json
@ -323,7 +323,8 @@
      ],
      "cap_add": [
        "SYS_ADMIN"
-      ]
+      ],
+      "apparmor_unconfined": true
    },
    {
      "container_name": "nextcloud-aio-watchtower",
--- a/php/src/Container/Container.php
+++ b/php/src/Container/Container.php
@ -26,6 +26,7 @@ class Container {
    /** @var string[] */
    private array $capAdd;
    private int $shmSize;
+    private bool $apparmorUnconfined;
    private DockerActionManager $dockerActionManager;

    public function __construct(
@ -43,6 +44,7 @@ class Container {
        array $devices,
        array $capAdd,
        int $shmSize,
+        bool $apparmorUnconfined,
        DockerActionManager $dockerActionManager
    ) {
        $this->identifier = $identifier;
@ -59,6 +61,7 @@ class Container {
        $this->devices = $devices;
        $this->capAdd = $capAdd;
        $this->shmSize = $shmSize;
+        $this->apparmorUnconfined = $apparmorUnconfined;
        $this->dockerActionManager = $dockerActionManager;
    }

@ -82,6 +85,10 @@ class Container {
        return $this->shmSize;
    }

+    public function isApparmorUnconfined() : bool {
+        return $this->apparmorUnconfined;
+    }
+
    public function GetMaxShutdownTime() : int {
        return $this->maxShutdownTime;
    }
--- a/php/src/ContainerDefinitionFetcher.php
+++ b/php/src/ContainerDefinitionFetcher.php
@ -223,6 +223,11 @@ class ContainerDefinitionFetcher
                $shmSize = $entry['shm_size'];
            }

+            $apparmorUnconfined = false;
+            if (isset($entry['apparmor_unconfined'])) {
+                $apparmorUnconfined = $entry['apparmor_unconfined'];
+            }
+
            $containers[] = new Container(
                $entry['container_name'],
                $displayName,
@ -238,6 +243,7 @@ class ContainerDefinitionFetcher
                $devices,
                $capAdd,
                $shmSize,
+                $apparmorUnconfined,
                $this->container->get(DockerActionManager::class)
            );
        }
--- a/php/src/Docker/DockerActionManager.php
+++ b/php/src/Docker/DockerActionManager.php
@ -421,10 +421,12 @@ class DockerActionManager
            $requestBody['HostConfig']['CapAdd'] = $capAdds;
        }

+        if ($container->isApparmorUnconfined()) {
+            $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined"];
+        }
+
        // Special things for the backup container which should not be exposed in the containers.json
        if ($container->GetIdentifier() === 'nextcloud-aio-borgbackup') {
-            $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined"];
-            
            // Additional backup directories
            $mounts = [];
            foreach ($this->configurationManager->GetAdditionalBackupDirectoriesArray() as $additionalBackupDirectories) {