2018-11-29 16:15:40 +01:00
|
|
|
From 4962b0a0bc6ca1fc99b0936175f929f9d3f5fa4c Mon Sep 17 00:00:00 2001
|
2018-04-12 16:45:14 +02:00
|
|
|
From: Aleksa Sarai <asarai@suse.de>
|
|
|
|
Date: Sun, 8 Apr 2018 20:21:30 +1000
|
2018-06-29 13:09:45 +02:00
|
|
|
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
|
2018-04-12 16:45:14 +02:00
|
|
|
|
|
|
|
In newer kernels, AppArmor will reject attempts to send signals to a
|
|
|
|
container because the signal originated from outside of that AppArmor
|
|
|
|
profile. Correct this by allowing all unconfined signals to be received.
|
|
|
|
|
|
|
|
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
|
|
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
|
|
---
|
2018-11-29 16:15:40 +01:00
|
|
|
.../engine/profiles/apparmor/apparmor.go | 21 +++++++++++++++++++
|
|
|
|
.../engine/profiles/apparmor/template.go | 6 ++++++
|
|
|
|
2 files changed, 27 insertions(+)
|
2018-04-12 16:45:14 +02:00
|
|
|
|
2018-11-29 16:15:40 +01:00
|
|
|
diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go
|
|
|
|
index b021668c8e4c..2f58ee852cab 100644
|
|
|
|
--- a/components/engine/profiles/apparmor/apparmor.go
|
|
|
|
+++ b/components/engine/profiles/apparmor/apparmor.go
|
|
|
|
@@ -23,6 +23,8 @@ var (
|
|
|
|
type profileData struct {
|
|
|
|
// Name is profile name.
|
|
|
|
Name string
|
|
|
|
+ // DaemonProfile is the profile name of our daemon.
|
|
|
|
+ DaemonProfile string
|
|
|
|
// Imports defines the apparmor functions to import, before defining the profile.
|
|
|
|
Imports []string
|
|
|
|
// InnerImports defines the apparmor functions to import in the profile.
|
|
|
|
@@ -70,6 +72,25 @@ func InstallDefault(name string) error {
|
|
|
|
Name: name,
|
|
|
|
}
|
|
|
|
|
|
|
|
+ // Figure out the daemon profile.
|
|
|
|
+ currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
|
|
|
|
+ if err != nil {
|
|
|
|
+ // If we couldn't get the daemon profile, assume we are running
|
|
|
|
+ // unconfined which is generally the default.
|
|
|
|
+ currentProfile = nil
|
|
|
|
+ }
|
|
|
|
+ daemonProfile := string(currentProfile)
|
|
|
|
+ // Normally profiles are suffixed by " (enforcing)" or similar. AppArmor
|
|
|
|
+ // profiles cannot contain spaces so this doesn't restrict daemon profile
|
|
|
|
+ // names.
|
|
|
|
+ if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 {
|
|
|
|
+ daemonProfile = parts[0]
|
|
|
|
+ }
|
|
|
|
+ if daemonProfile == "" {
|
|
|
|
+ daemonProfile = "unconfined"
|
|
|
|
+ }
|
|
|
|
+ p.DaemonProfile = daemonProfile
|
|
|
|
+
|
|
|
|
// Install to a temporary directory.
|
|
|
|
f, err := ioutil.TempFile("", name)
|
|
|
|
if err != nil {
|
2018-04-12 16:45:14 +02:00
|
|
|
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
|
2018-11-29 16:15:40 +01:00
|
|
|
index c00a3f70e993..400b3bd50a11 100644
|
2018-04-12 16:45:14 +02:00
|
|
|
--- a/components/engine/profiles/apparmor/template.go
|
|
|
|
+++ b/components/engine/profiles/apparmor/template.go
|
2018-06-07 08:25:06 +02:00
|
|
|
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
2018-04-12 16:45:14 +02:00
|
|
|
capability,
|
|
|
|
file,
|
|
|
|
umount,
|
2018-04-19 14:32:33 +02:00
|
|
|
+{{if ge .Version 208096}}
|
|
|
|
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
|
2018-11-29 16:15:40 +01:00
|
|
|
+ signal (receive) peer={{.DaemonProfile}},
|
|
|
|
+{{/* Allow container processes to send signals amongst themselves. */}}
|
2018-06-07 08:25:06 +02:00
|
|
|
+ signal (send,receive) peer={{.Name}},
|
2018-04-19 14:32:33 +02:00
|
|
|
+{{end}}
|
2018-04-12 16:45:14 +02:00
|
|
|
|
|
|
|
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
|
|
|
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
|
|
|
--
|
2018-11-29 16:15:40 +01:00
|
|
|
2.19.1
|
2018-04-12 16:45:14 +02:00
|
|
|
|