Can't use ssh uri to connect to docker host

[ChinnoDog]

I'm trying to run Docker on a remote host over ssh using built-in functionality as explained by this post but I get an error instead.

$ DOCKER_HOST=ssh://<remote host> docker container ls
error during connect: Get "http://docker.example.com/v1.24/containers/json": fork/exec /usr/bin/ssh: permission denied

There is a corresponding event for this.

[19294.913073] audit: type=1400 audit(1677267537.941:192): apparmor="DENIED" operation="exec" profile="snap.docker.docker" name="/usr/bin/ssh" pid=7127 comm="docker" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0

I updated /var/lib/snapd/apparmor/profiles/snap.docker.docker with entries for this error and the subsequent ones that occured with the lines below. This is my first time updating an apparmor profile so it might not follow best practices.

/{,usr/}bin/ssh ixr,
@{HOME}/.ssh/** r,
@{HOME}/.ssh/known_hosts w,
/etc/ssh/ssh_config* r,
/etc/gss/mech.d/ r,

I then ran apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.docker.docker to apply it. It seems to work now.

[xnox]

@{HOME}/.ssh/** r,

seems dangerous, as it gives docker binary access to the private ssh key. It would be best if docker would only be allowed to talk to an existing gpg-agent running as the user, without having direct access to private keys that could be in .ssh. With ssh-agent being separately confined. Reading .pub files in .ssh is fine however.

I don't know if there is an existing interface to access ssh client, or if this could be added to docker-support interface itself. This should probably be filed as a request against snapd itself.