From b7f9caccb8a3cb7a660bbaa5ec8e2b299c3ae20e4f9cbc542f97303288d8e63c Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Jun 2018 11:09:45 +0000 Subject: [PATCH] Accepting request 619741 from home:cyphar:docker_apparmor - Update the AppArmor patchset again to fix a separate issue where changed AppArmor profiles don't actually get applied on Docker daemon reboot. bsc#1099277 * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch OBS-URL: https://build.opensuse.org/request/show/619741 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=254 --- ...eceiving-of-signals-from-docker-kill.patch | 4 +- ...bber-docker-default-profile-on-start.patch | 87 +++++++++++++++++++ docker.changes | 11 ++- docker.spec | 4 + 4 files changed, 103 insertions(+), 3 deletions(-) create mode 100644 bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch diff --git a/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch b/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch index 0586f5e..3a6f9e0 100644 --- a/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch +++ b/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch @@ -1,7 +1,7 @@ From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sun, 8 Apr 2018 20:21:30 +1000 -Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill' +Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill' In newer kernels, AppArmor will reject attempts to send signals to a container because the signal originated from outside of that AppArmor @@ -32,5 +32,5 @@ index c5ea4584de6b..082638e85903 100644 deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc//** or /proc/sys/** -- -2.16.3 +2.17.1 diff --git a/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch b/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch new file mode 100644 index 0000000..3ace15b --- /dev/null +++ b/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch @@ -0,0 +1,87 @@ +From 8edc54753ab5ea9294c55ec32b49c9eb7cdf3892 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Fri, 29 Jun 2018 17:59:30 +1000 +Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start + +In the process of making docker-default reloading far less expensive, +567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor +profiles") mistakenly made the initial profile load at dockerd start-up +lazy. As a result, if you have a running Docker daemon and upgrade it to +a new one with an updated AppArmor profile the new profile will not take +effect (because the old one is still loaded). The fix for this is quite +trivial, and just requires us to clobber the profile on start-up. + +Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles") +SUSE-Bugs: bsc#1099277 +Signed-off-by: Aleksa Sarai +--- + components/engine/daemon/apparmor_default.go | 14 ++++++++++---- + .../engine/daemon/apparmor_default_unsupported.go | 4 ++++ + components/engine/daemon/daemon.go | 4 +++- + 3 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go +index 2a418b25c241..c3e271ee4774 100644 +--- a/components/engine/daemon/apparmor_default.go ++++ b/components/engine/daemon/apparmor_default.go +@@ -14,6 +14,15 @@ const ( + defaultApparmorProfile = "docker-default" + ) + ++func clobberDefaultAppArmorProfile() error { ++ if apparmor.IsEnabled() { ++ if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { ++ return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err) ++ } ++ } ++ return nil ++} ++ + func ensureDefaultAppArmorProfile() error { + if apparmor.IsEnabled() { + loaded, err := aaprofile.IsLoaded(defaultApparmorProfile) +@@ -27,10 +36,7 @@ func ensureDefaultAppArmorProfile() error { + } + + // Load the profile. +- if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { +- return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err) +- } ++ return clobberDefaultAppArmorProfile() + } +- + return nil + } +diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go +index cd2dd9702ef2..17584063c711 100644 +--- a/components/engine/daemon/apparmor_default_unsupported.go ++++ b/components/engine/daemon/apparmor_default_unsupported.go +@@ -2,6 +2,10 @@ + + package daemon + ++func clobberDefaultAppArmorProfile() error { ++ return nil ++} ++ + func ensureDefaultAppArmorProfile() error { + return nil + } +diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go +index a11a1f8691cc..6f8846b19f57 100644 +--- a/components/engine/daemon/daemon.go ++++ b/components/engine/daemon/daemon.go +@@ -594,7 +594,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe + logrus.Warnf("Failed to configure golang's threads limit: %v", err) + } + +- if err := ensureDefaultAppArmorProfile(); err != nil { ++ // Make sure we clobber any pre-existing docker-default profile to ensure ++ // that upgrades to the profile actually work smoothly. ++ if err := clobberDefaultAppArmorProfile(); err != nil { + logrus.Errorf(err.Error()) + } + +-- +2.17.1 + diff --git a/docker.changes b/docker.changes index bbd68ba..03b9b30 100644 --- a/docker.changes +++ b/docker.changes @@ -1,7 +1,16 @@ +------------------------------------------------------------------- +Fri Jun 29 08:35:56 UTC 2018 - asarai@suse.com + +- Update the AppArmor patchset again to fix a separate issue where changed + AppArmor profiles don't actually get applied on Docker daemon reboot. + bsc#1099277 + * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + + bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch + ------------------------------------------------------------------- Wed Jun 13 10:19:23 UTC 2018 - dcassany@suse.com -- Make use of %license macro +- Make use of %license macro ------------------------------------------------------------------- Tue Jun 5 11:24:35 UTC 2018 - asarai@suse.com diff --git a/docker.spec b/docker.spec index 5ab4af5..762dbb9 100644 --- a/docker.spec +++ b/docker.spec @@ -68,6 +68,8 @@ Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespa Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877 Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277 +Patch403: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -198,6 +200,8 @@ Test package for docker. It contains the source code and the tests. %patch401 -p1 # bsc#1073877 %patch402 -p1 +# bsc#1099277 +%patch403 -p1 cp %{SOURCE7} . cp %{SOURCE9} .