app-emulation/docker: Add new version of apparmor profile patch

Signed-off-by: Manuel Rüger <mrueg@gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11

1 files changed, 72 insertions, 0 deletions

diff --git a/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch b/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch
new file mode 100644
index 000000000000..fd365425fb95
--- /dev/null
+++ b/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch
@@ -0,0 +1,72 @@
+From 4822fb1e2423d88cdf0ad5d039b8fd3274b05401 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Sun, 8 Apr 2018 20:21:30 +1000
+Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill'
+
+In newer kernels, AppArmor will reject attempts to send signals to a
+container because the signal originated from outside of that AppArmor
+profile. Correct this by allowing all unconfined signals to be received.
+
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ profiles/apparmor/apparmor.go | 21 +++++++++++++++++++++
+ profiles/apparmor/template.go |  6 ++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go
+index b021668c8e4c..2f58ee852cab 100644
+--- a/components/engine/profiles/apparmor/apparmor.go
++++ b/components/engine/profiles/apparmor/apparmor.go
+@@ -23,6 +23,8 @@ var (
+ type profileData struct {
+ 	// Name is profile name.
+ 	Name string
++	// DaemonProfile is the profile name of our daemon.
++	DaemonProfile string
+ 	// Imports defines the apparmor functions to import, before defining the profile.
+ 	Imports []string
+ 	// InnerImports defines the apparmor functions to import in the profile.
+@@ -70,6 +72,25 @@ func InstallDefault(name string) error {
+ 		Name: name,
+ 	}
+ 
++	// Figure out the daemon profile.
++	currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
++	if err != nil {
++		// If we couldn't get the daemon profile, assume we are running
++		// unconfined which is generally the default.
++		currentProfile = nil
++	}
++	daemonProfile := string(currentProfile)
++	// Normally profiles are suffixed by " (enforcing)" or similar. AppArmor
++	// profiles cannot contain spaces so this doesn't restrict daemon profile
++	// names.
++	if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 {
++		daemonProfile = parts[0]
++	}
++	if daemonProfile == "" {
++		daemonProfile = "unconfined"
++	}
++	p.DaemonProfile = daemonProfile
++
+ 	// Install to a temporary directory.
+ 	f, err := ioutil.TempFile("", name)
+ 	if err != nil {
+diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
+index c00a3f70e993..400b3bd50a11 100644
+--- a/components/engine/profiles/apparmor/template.go
++++ b/components/engine/profiles/apparmor/template.go
+@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+   capability,
+   file,
+   umount,
++{{if ge .Version 208096}}
++{{/* Allow 'docker kill' to actually send signals to container processes. */}}
++  signal (receive) peer={{.DaemonProfile}},
++{{/* Allow container processes to send signals amongst themselves. */}}
++  signal (send,receive) peer={{.Name}},
++{{end}}
+ 
+   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
+   # deny write to files not in /proc/<number>/** or /proc/sys/**