librelad 4063283db1 feat(rootless): proper AppArmor profile for pasta network driver
The Debian-shipped passt AppArmor profile (/etc/apparmor.d/usr.bin.passt)
denies the accesses pasta needs to plumb rootlesskit's netns:
  - ptrace_read on the rootlesskit child to enter its user namespace
  - read /run/user/<uid>/dockerd-rootless/netns (the netns file)
  - read /proc/<pid>/net/{tcp,tcp6,udp,udp6} for implicit port forwarding

Without these the rootless docker daemon fails with:
  pasta failed with exit code 1:
  Couldn't open user namespace /proc/<pid>/ns/user: Permission denied

scripts/docker/install/rootless/rootless_apparmor.sh:
  New installRootlessApparmorForPasta() — idempotent fixup.
  1. Adds `include if exists <local/usr.bin.passt>` to the main profile
     (one line; re-adding is a no-op via grep).
  2. Writes /etc/apparmor.d/local/usr.bin.passt with the four rules
     pasta needs. The /local/ pattern is the standard Debian AppArmor
     hook for site-managed overrides — survives `apt upgrade passt`
     because it's outside the package's managed paths.
  3. Reloads via apparmor_parser -r.

Called from installDockerRootless after the override.conf write, gated
on $rootless_net == pasta. slirp4netns installs skip it.

This box was already manually patched while debugging the pasta swap —
the installer-side change makes it idempotent across reinstalls and
applies the same fix on any other host that installs rootless docker
with pasta as the net driver.

Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-26 23:13:04 +01:00

62 lines
2.4 KiB
Bash
Executable File

#!/bin/bash
# This file is auto-generated by generate_arrays.sh
# Do not edit manually - run './scripts/source/files/generate_arrays.sh run' to regenerate
docker_scripts=(
"docker/app/checks/app_installed.sh"
"docker/app/checks/container_health_loop.sh"
"docker/app/checks/container_health.sh"
"docker/app/compose/down_all.sh"
"docker/app/compose/down_app.sh"
"docker/app/compose/up_all.sh"
"docker/app/compose/up_app.sh"
"docker/app/compose/up_down_app.sh"
"docker/app/docker/remove_app.sh"
"docker/app/docker/restart_app.sh"
"docker/app/docker/start_all.sh"
"docker/app/docker/start_app.sh"
"docker/app/docker/stop_all.sh"
"docker/app/docker/stop_app.sh"
"docker/app/functions/function_app_tool.sh"
"docker/app/functions/function_install_app.sh"
"docker/app/functions/function_restart_app.sh"
"docker/app/uninstall/delete_data.sh"
"docker/app/uninstall/down_remove_app.sh"
"docker/app/uninstall/remove_images.sh"
"docker/app/uninstall/uninstall_app.sh"
"docker/checks/app_health_details.sh"
"docker/checks/app_health_status.sh"
"docker/checks/running_for_user.sh"
"docker/command/docker_run_install.sh"
"docker/command/docker_run.sh"
"docker/command/run_privileged.sh"
"docker/compose/copy_build_context.sh"
"docker/compose/restart_after_update.sh"
"docker/compose/setup_compose_yml.sh"
"docker/compose/update_and_start.sh"
"docker/compose/update_compose_yml.sh"
"docker/install/rooted/rooted_docker_check.sh"
"docker/install/rooted/rooted_docker_compose.sh"
"docker/install/rooted/rooted_docker.sh"
"docker/install/rootless/rootless_apparmor.sh"
"docker/install/rootless/rootless_docker.sh"
"docker/install/rootless/rootless_start_setup.sh"
"docker/install/rootless/rootless_uninstall.sh"
"docker/install/rootless/rootless_user.sh"
"docker/network/network_prune.sh"
"docker/network/network_randomize_subnet.sh"
"docker/network/network_setup.sh"
"docker/service/start_docker.sh"
"docker/service/stop_docker.sh"
"docker/setup_env.sh"
"docker/type_switcher/scan_container_socket.sh"
"docker/type_switcher/set_socket_permissions.sh"
"docker/type_switcher/swap_docker_type.sh"
"docker/type_switcher/switch_containers_type.sh"
"docker/update_docker_sudo_pass.sh"
"docker/update_docker_user_pass.sh"
"docker/whitelist_port_updater.sh"
)