From 5ebf4bf2c7ea7de3d0e8e9527525bfd41709a3babe9b526630bb3d39ff0cefed Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.com>
Date: Thu, 12 Dec 2019 00:16:15 +0000
Subject: [PATCH 1/4] Accepting request 755959 from home:cyphar:docker

- Support older SLE systems which don't have "usermod -w -v".

OBS-URL: https://build.opensuse.org/request/show/755959
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=331
---
 docker.changes |  5 +++++
 docker.spec    | 15 ++++++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/docker.changes b/docker.changes
index daa5157..ad6ee1c 100644
--- a/docker.changes
+++ b/docker.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Dec 11 23:55:40 UTC 2019 - Aleksa Sarai <asarai@suse.com>
+
+- Support older SLE systems which don't have "usermod -w -v".
+
 -------------------------------------------------------------------
 Mon Nov 18 04:46:31 UTC 2019 - Aleksa Sarai <asarai@suse.com>
 
diff --git a/docker.spec b/docker.spec
index 246f6bb..11c8c8f 100644
--- a/docker.spec
+++ b/docker.spec
@@ -419,12 +419,21 @@ getent group docker >/dev/null || groupadd -r docker
 # used for --userns-remap=default.
 getent passwd dockremap >/dev/null || \
 	useradd -Ur -p '!' -s /bin/false -c 'docker --userns-remap=default' dockremap
+
+# /etc/sub[ug]id should exist already (it's part of shadow-utils), but older
+# distros don't have it. Docker just parses it and doesn't need any special
+# shadow-utils helpers.
+touch /etc/subuid /etc/subgid ||:
+
 # "useradd -r" doesn't add sub[ug]ids so we manually add some. Hopefully there
 # aren't any conflicts here, because usermod doesn't provide the same "get
 # unusued range" feature that dockremap does.
-touch /etc/sub{uid,gid}
-grep -q '^dockremap:' /etc/sub{uid,gid} || \
-	usermod -v 100000000-200000000 -w 100000000-200000000 dockremap
+grep -q '^dockremap:' /etc/subuid || \
+	usermod -v 100000000-200000000 dockremap &>/dev/null || \
+	echo "dockremap:100000000:100000001" >>/etc/subuid ||:
+grep -q '^dockremap:' /etc/subgid || \
+	usermod -w 100000000-200000000 dockremap &>/dev/null || \
+	echo "dockremap:100000000:100000001" >>/etc/subgid ||:
 
 %service_add_pre %{realname}.service
 

From 1a3f9b9afa51ea1f6570bd089296e8d4a7c7750627b5557c20fed9496b7663a3 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.com>
Date: Thu, 12 Dec 2019 13:15:57 +0000
Subject: [PATCH 2/4] Accepting request 756068 from home:cyphar:docker

Update changelog to include old bugfixes.

OBS-URL: https://build.opensuse.org/request/show/756068
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=332
---
 docker.changes | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docker.changes b/docker.changes
index ad6ee1c..6dbefd6 100644
--- a/docker.changes
+++ b/docker.changes
@@ -69,7 +69,8 @@ Wed Jul 17 23:15:33 UTC 2019 - Aleksa Sarai <asarai@suse.com>
 
 - Move bash-completion to correct location.
 - Update to Docker 18.09.8-ce. See upstream changelog in the packaged
-  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1142160 CVE-2019-13509
+  /usr/share/doc/packages/docker/CHANGELOG.md.
+  * Includes fixes for CVE-2019-13509 bsc#1142160.
 
 -------------------------------------------------------------------
 Fri Jun 28 01:21:19 UTC 2019 - Aleksa Sarai <asarai@suse.com>
@@ -151,6 +152,8 @@ Tue Feb  5 11:24:02 UTC 2019 - Aleksa Sarai <asarai@suse.com>
 
 - Update to Docker 18.09.1-ce. See upstream changelog in the packaged
   /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1124308
+  * Includes fix for CVE-2018-10092 bsc#1100331.
+  * Includes fix for CVE-2018-20699 bsc#1121768.
 - Remove upstreamed patches.
   - bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
 

From 28f3e0fe6d460d979cd4c06fa20e834c4966b83b0961697d6eac55df0adf3ab8 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.com>
Date: Thu, 12 Dec 2019 13:41:28 +0000
Subject: [PATCH 3/4] Accepting request 756074 from home:cyphar:docker

- Add backport of https://github.com/docker/docker/pull/39121. bsc#1122469
  + bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch

OBS-URL: https://build.opensuse.org/request/show/756074
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=333
---
 ...1-apparmor-allow-readby-and-tracedby.patch | 40 +++++++++++++++++++
 docker.changes                                |  6 +++
 docker.spec                                   | 10 +++--
 3 files changed, 53 insertions(+), 3 deletions(-)
 create mode 100644 bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch

diff --git a/bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch b/bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
new file mode 100644
index 0000000..03349db
--- /dev/null
+++ b/bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
@@ -0,0 +1,40 @@
+From cb676052272ed4f6f3b901dbc21510fabf742860 Mon Sep 17 00:00:00 2001
+From: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Date: Mon, 22 Apr 2019 09:08:28 -0500
+Subject: [PATCH] apparmor: allow readby and tracedby
+
+Fixes audit errors such as:
+
+type=AVC msg=audit(1550236803.810:143):
+apparmor="DENIED" operation="ptrace" profile="docker-default"
+pid=3181 comm="ps" requested_mask="readby" denied_mask="readby"
+peer="docker-default"
+
+audit(1550236375.918:3): apparmor="DENIED" operation="ptrace"
+profile="docker-default" pid=2267 comm="ps"
+requested_mask="tracedby" denied_mask="tracedby"
+peer="docker-default"
+
+SUSE-Bugs: bsc#1122469
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ components/engine/profiles/apparmor/template.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
+index 400b3bd50a11..d8db0ee2fb36 100644
+--- a/components/engine/profiles/apparmor/template.go
++++ b/components/engine/profiles/apparmor/template.go
+@@ -44,7 +44,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+ 
+ {{if ge .Version 208095}}
+   # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+-  ptrace (trace,read) peer={{.Name}},
++  ptrace (trace,read,tracedby,readby) peer={{.Name}},
+ {{end}}
+ }
+ `
+-- 
+2.24.0
+
diff --git a/docker.changes b/docker.changes
index 6dbefd6..340dcf3 100644
--- a/docker.changes
+++ b/docker.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Dec 12 13:27:21 UTC 2019 - Aleksa Sarai <asarai@suse.com>
+
+- Add backport of https://github.com/docker/docker/pull/39121. bsc#1122469
+  + bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
+
 -------------------------------------------------------------------
 Wed Dec 11 23:55:40 UTC 2019 - Aleksa Sarai <asarai@suse.com>
 
diff --git a/docker.spec b/docker.spec
index 11c8c8f..078d394 100644
--- a/docker.spec
+++ b/docker.spec
@@ -77,10 +77,12 @@ Source10:       docker-daemon.json
 # branch in http://github.com/suse/docker.mirror.
 Patch200:       secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
 Patch201:       secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+# SUSE-ISSUE: Revert of https://github.com/docker/docker/pull/37907.
+Patch300:       packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
 # SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1099277
 Patch401:       bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
-# SUSE-ISSUE: Revert of https://github.com/docker/docker/pull/37907.
-Patch402:       packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
+# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/39121. bsc#1122469
+Patch402:       bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
 # SUSE-FEATURE: Add support to mirror inofficial/private registries
 #               (https://github.com/docker/docker/pull/34319)
 Patch500:       private-registry-0001-Add-private-registry-mirror-support.patch
@@ -255,9 +257,11 @@ docker container runtime configuration for kubeadm
 %patch200 -p1
 %patch201 -p1
 %endif
+# revert upstream
+%patch300 -p1
 # bsc#1099277
 %patch401 -p1
-# revert upstream
+# bsc#1122469
 %patch402 -p1
 %if "%flavour" == "kubic"
 # PATCH-SUSE: Mirror patch.

From afde2ad2d88361ab4d997a4bab8fef14061489b014a905ccb024b7a5312127cd Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.com>
Date: Thu, 12 Dec 2019 13:48:36 +0000
Subject: [PATCH 4/4] Accepting request 756078 from home:cyphar:docker

Fix incorrect CVE entry.

OBS-URL: https://build.opensuse.org/request/show/756078
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=334
---
 docker.changes | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker.changes b/docker.changes
index 340dcf3..a76beed 100644
--- a/docker.changes
+++ b/docker.changes
@@ -158,7 +158,7 @@ Tue Feb  5 11:24:02 UTC 2019 - Aleksa Sarai <asarai@suse.com>
 
 - Update to Docker 18.09.1-ce. See upstream changelog in the packaged
   /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1124308
-  * Includes fix for CVE-2018-10092 bsc#1100331.
+  * Includes fix for CVE-2018-10892 bsc#1100331.
   * Includes fix for CVE-2018-20699 bsc#1121768.
 - Remove upstreamed patches.
   - bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch