diff options
author | 2018-10-28 18:26:09 +0100 | |
---|---|---|
committer | 2018-10-28 18:28:49 +0100 | |
commit | bf1218d4bcf8d5909886ccee0177cd92b68f01e0 (patch) | |
tree | 1d361ecae27411737b366e39560923c7dc145902 /app-emulation/docker/files | |
parent | app-xemacs/xemacs-packages-all: stable 2018.08.11 for ppc, bug #666312 (diff) | |
download | gentoo-bf1218d4bcf8d5909886ccee0177cd92b68f01e0.tar.gz gentoo-bf1218d4bcf8d5909886ccee0177cd92b68f01e0.tar.bz2 gentoo-bf1218d4bcf8d5909886ccee0177cd92b68f01e0.zip |
app-emulation/docker: Add new version of apparmor profile patch
Signed-off-by: Manuel Rüger <mrueg@gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11
Diffstat (limited to 'app-emulation/docker/files')
-rw-r--r-- | app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch b/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch new file mode 100644 index 000000000000..fd365425fb95 --- /dev/null +++ b/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch @@ -0,0 +1,72 @@ +From 4822fb1e2423d88cdf0ad5d039b8fd3274b05401 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai <asarai@suse.de> +Date: Sun, 8 Apr 2018 20:21:30 +1000 +Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill' + +In newer kernels, AppArmor will reject attempts to send signals to a +container because the signal originated from outside of that AppArmor +profile. Correct this by allowing all unconfined signals to be received. + +Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com> +Signed-off-by: Aleksa Sarai <asarai@suse.de> +--- + profiles/apparmor/apparmor.go | 21 +++++++++++++++++++++ + profiles/apparmor/template.go | 6 ++++++ + 2 files changed, 27 insertions(+) + +diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go +index b021668c8e4c..2f58ee852cab 100644 +--- a/components/engine/profiles/apparmor/apparmor.go ++++ b/components/engine/profiles/apparmor/apparmor.go +@@ -23,6 +23,8 @@ var ( + type profileData struct { + // Name is profile name. + Name string ++ // DaemonProfile is the profile name of our daemon. ++ DaemonProfile string + // Imports defines the apparmor functions to import, before defining the profile. + Imports []string + // InnerImports defines the apparmor functions to import in the profile. +@@ -70,6 +72,25 @@ func InstallDefault(name string) error { + Name: name, + } + ++ // Figure out the daemon profile. ++ currentProfile, err := ioutil.ReadFile("/proc/self/attr/current") ++ if err != nil { ++ // If we couldn't get the daemon profile, assume we are running ++ // unconfined which is generally the default. ++ currentProfile = nil ++ } ++ daemonProfile := string(currentProfile) ++ // Normally profiles are suffixed by " (enforcing)" or similar. AppArmor ++ // profiles cannot contain spaces so this doesn't restrict daemon profile ++ // names. ++ if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 { ++ daemonProfile = parts[0] ++ } ++ if daemonProfile == "" { ++ daemonProfile = "unconfined" ++ } ++ p.DaemonProfile = daemonProfile ++ + // Install to a temporary directory. + f, err := ioutil.TempFile("", name) + if err != nil { +diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go +index c00a3f70e993..400b3bd50a11 100644 +--- a/components/engine/profiles/apparmor/template.go ++++ b/components/engine/profiles/apparmor/template.go +@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { + capability, + file, + umount, ++{{if ge .Version 208096}} ++{{/* Allow 'docker kill' to actually send signals to container processes. */}} ++ signal (receive) peer={{.DaemonProfile}}, ++{{/* Allow container processes to send signals amongst themselves. */}} ++ signal (send,receive) peer={{.Name}}, ++{{end}} + + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + # deny write to files not in /proc/<number>/** or /proc/sys/** |