[docker-in-docker] Not working with Docker Desktop and Enhanced Container Isolation

[koenig-dominik]

The feature docker-in-docker fails to start the docker daemon with the error message

mount: /sys/kernel/security: permission denied.
       dmesg(1) may have more information after failed mount system call.
Could not mount /sys/kernel/security.
AppArmor detection and --privileged mode might break.

when using a devcontainer with the Docker Desktop Hyper-V backend and having Enhanced Container Isolation enabled.

The container is started using --privileged however there are still some restrictions:

ECI

Containers become harder to breach. For example, sensitive system calls are vetted and portions of /proc and /sys are emulated inside the container.

This part of the code that checks for AppArmor stops the start, even though it would otherwise work perfectly fine.

    if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
        mount -t securityfs none /sys/kernel/security || {
            echo >&2 'Could not mount /sys/kernel/security.'
            echo >&2 'AppArmor detection and --privileged mode might break.'
        }
    fi

When building the container with ECI disabled and then running the built container with it enabled, everything works fine.

I would propose to either add a feature flag to disable the check or remove it altogether, however I am not too sure how many run into issues with running AppArmor inside a devcontainer base container.