We're working on a solution that would please most people for docker containers and services called the Docker Entitlements: https://github.com/moby/libentitlement
These Entitlements are high-level privileges for containers and services that could be baked in images, same way as macOS/iOS apps. These permissions would allow to create custom {seccomp+capabilities+namespaces+apparmor+...} profiles (effectively security profiles) for a better granularity in app sandbox configuration by app developers and ops.
The current POC has `docker run`, `docker service create` and even build mechanism working. The integration is actively being worked on and PRs are being prepared.
We're working on a solution that would please most people for docker containers and services called the Docker Entitlements: https://github.com/moby/libentitlement
These Entitlements are high-level privileges for containers and services that could be baked in images, same way as macOS/iOS apps. These permissions would allow to create custom {seccomp+capabilities+namespaces+apparmor+...} profiles (effectively security profiles) for a better granularity in app sandbox configuration by app developers and ops.
The current POC has `docker run`, `docker service create` and even build mechanism working. The integration is actively being worked on and PRs are being prepared.
The issue you mentioned is already opened here: https://github.com/moby/libentitlement/issues/44
Feel free to have a look at it and open issues/participate or reach out through Github as I'm the lead and would love to discuss use-cases :)