chore: no more --privileged containers

2025-08-03 09:47:01 -04:00 · 2025-07-29 09:42:01 +02:00 · 2025-07-29 09:42:01 +02:00 · 4517e526ba
commit 4517e526ba
parent 997118da6e
2 changed files with 3 additions and 3 deletions
--- a/.docker/Makefile
+++ b/.docker/Makefile
@ -10,7 +10,7 @@ ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 NPROC:=$(shell nproc)

 COMMON_RUN_OPTS=-it --rm \
-		--cap-add SYS_ADMIN --device /dev/fuse --privileged \
+		--cap-add SYS_ADMIN --device /dev/fuse \
 		--mount type=bind,source="$(ROOT_DIR)"/..,target=/workspace,readonly \
 		--mount type=bind,source="$(ROOT_DIR)"/../@docker-ccache,target=/ccache \
 		--mount type=bind,source="$(ROOT_DIR)"/../@docker-home,target=/home/mhx \
--- a/.github/workflows/docker-run-build.yml
+++ b/.github/workflows/docker-run-build.yml
@ -64,8 +64,8 @@ jobs:

      - name: Run Build
        run: |
-          docker run --rm \
-            --cap-add SYS_ADMIN --device /dev/fuse --privileged \
+          docker run --rm --init \
+            --cap-add SYS_ADMIN --device /dev/fuse --security-opt apparmor:unconfined \
            --mount type=bind,source=${GITHUB_WORKSPACE},target=/workspace,readonly \
            --mount type=bind,source=${{ runner.temp }},target=/tmp-runner \
            --mount type=bind,source=${HOME}/github-ccache,target=/ccache \