Dockerfile

Volumes

Make sure you have the following volume mounted in your Dockerfile:

volumes:
  - /var/run/dbus:/var/run/dbus

Security Options

Include this security_opt in the Dockerfile as well:

security_opt:
  - apparmor:docker-ble-policy

AppArmor policy

Create a file called docker-ble-policy with the following content:

#include <tunables/global>

profile docker-ble-policy flags=(attach_disconnected,mediate_deleted) {

  #include <abstractions/base>
  #include <abstractions/dbus-strict>

  dbus (send) bus=system peer=(name=org.bluez, label=unconfined),
  dbus (send, receive) bus=system interface=org.freedesktop.DBus.ObjectManager peer=(label=unconfined),

  network,
  capability,
  file,
  umount,

  signal (send,receive) peer=docker-ble-policy,

  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
  # deny write to files not in /proc/<number>/** or /proc/sys/**
  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
  deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/kcore rwklx,

  deny mount,

  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
  deny /sys/firmware/** rwklx,
  deny /sys/kernel/security/** rwklx,


  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
  ptrace (trace,read,tracedby,readby) peer=docker-ble-policy,

}

After creating that file, perform the following command:

sudo apparmor_parser -r -W docker-ble-policy

Things I did as well

For these things, I am not sure if this helped, but they didn't hurt:

Install bluez

sudo apt install bluez

Reboot

I did a reboot after all this, just to be sure. I read somewhere that it mattered, sooo 🤷

wimhaanstra/README.md