Accepting request 480819 from home:cyphar:containers

- Add a backport of fix to AppArmor lazy loading docker-exec case.
  https://github.com/docker/docker/pull/31773
  + pr31773-daemon-also-ensureDefaultApparmorProfile-in-exec-pat.patch

OBS-URL: https://build.opensuse.org/request/show/480819
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=173
This commit is contained in:
Jordi Massaguer 2017-03-17 13:18:51 +00:00 committed by Git OBS Bridge
parent 9c1f006520
commit 757ddedc74
3 changed files with 69 additions and 0 deletions

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Mar 17 11:08:03 UTC 2017 - asarai@suse.com
- Add a backport of fix to AppArmor lazy loading docker-exec case.
https://github.com/docker/docker/pull/31773
+ pr31773-daemon-also-ensureDefaultApparmorProfile-in-exec-pat.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Mar 8 00:48:46 UTC 2017 - asarai@suse.com Wed Mar 8 00:48:46 UTC 2017 - asarai@suse.com

View File

@ -70,8 +70,10 @@ Patch103: boltdb_bolt_add_brokenUnaligned.patch
# branch in http://github.com/suse/docker.mirror. # branch in http://github.com/suse/docker.mirror.
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
# PATCH-FIX-UPSTREAM: Backports.
Patch300: integration-cli-fix-TestInfoEnsureSucceeds.patch Patch300: integration-cli-fix-TestInfoEnsureSucceeds.patch
Patch301: pr31549-cmd-docker-fix-TestDaemonCommand.patch Patch301: pr31549-cmd-docker-fix-TestDaemonCommand.patch
Patch302: pr31773-daemon-also-ensureDefaultApparmorProfile-in-exec-pat.patch
BuildRequires: audit BuildRequires: audit
BuildRequires: bash-completion BuildRequires: bash-completion
BuildRequires: ca-certificates BuildRequires: ca-certificates
@ -185,6 +187,7 @@ Test package for docker. It contains the source code and the tests.
%endif %endif
%patch300 -p1 %patch300 -p1
%patch301 -p1 %patch301 -p1
%patch302 -p1
cp %{SOURCE7} . cp %{SOURCE7} .
cp %{SOURCE10} . cp %{SOURCE10} .

View File

@ -0,0 +1,59 @@
From 790a81ea9acce318d0e037771c253951b874140b Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 13 Mar 2017 14:57:35 +1100
Subject: [PATCH] daemon: also ensureDefaultApparmorProfile in exec path
When 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor
profiles") was merged, it didn't correctly handle the exec path if
AppArmor profiles were deleted. Fix this by duplicating the
ensureDefaultApparmorProfile code in the exec code.
Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
daemon/exec_linux.go | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go
index 5aeedc347027..bb11c11e447c 100644
--- a/daemon/exec_linux.go
+++ b/daemon/exec_linux.go
@@ -5,6 +5,7 @@ import (
"github.com/docker/docker/daemon/caps"
"github.com/docker/docker/daemon/exec"
"github.com/docker/docker/libcontainerd"
+ "github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runtime-spec/specs-go"
)
@@ -23,5 +24,27 @@ func execSetPlatformOpt(c *container.Container, ec *exec.Config, p *libcontainer
if ec.Privileged {
p.Capabilities = caps.GetAllCapabilities()
}
+ if apparmor.IsEnabled() {
+ var appArmorProfile string
+ if c.AppArmorProfile != "" {
+ appArmorProfile = c.AppArmorProfile
+ } else if c.HostConfig.Privileged {
+ appArmorProfile = "unconfined"
+ } else {
+ appArmorProfile = "docker-default"
+ }
+
+ if appArmorProfile == "docker-default" {
+ // Unattended upgrades and other fun services can unload AppArmor
+ // profiles inadvertently. Since we cannot store our profile in
+ // /etc/apparmor.d, nor can we practically add other ways of
+ // telling the system to keep our profile loaded, in order to make
+ // sure that we keep the default profile enabled we dynamically
+ // reload it if necessary.
+ if err := ensureDefaultAppArmorProfile(); err != nil {
+ return err
+ }
+ }
+ }
return nil
}
--
2.12.0