diff --git a/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch b/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch new file mode 100644 index 0000000..334cd47 --- /dev/null +++ b/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch @@ -0,0 +1,31 @@ +From c11493737b4a5ffd59d635650f3a0d45f220ad2b Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Sun, 8 Apr 2018 20:21:30 +1000 +Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill' + +In newer kernels, AppArmor will reject attempts to send signals to a +container because the signal originated from outside of that AppArmor +profile. Correct this by allowing all unconfined signals to be received. + +SUSE-Bug: bsc#1073877 +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: Aleksa Sarai +--- + components/engine/profiles/apparmor/template.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go +index c5ea4584de6b..4830ac440645 100644 +--- a/components/engine/profiles/apparmor/template.go ++++ b/components/engine/profiles/apparmor/template.go +@@ -17,6 +17,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { + capability, + file, + umount, ++ signal (receive) peer=unconfined, + + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + # deny write to files not in /proc//** or /proc/sys/** +-- +2.16.3 + diff --git a/docker.changes b/docker.changes index 17935fa..28a940a 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Apr 10 09:25:43 UTC 2018 - asarai@suse.com + +- Add patch to handle AppArmor changes that make 'docker kill' stop working. + bsc#1073877 + + bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + ------------------------------------------------------------------- Fri Apr 6 04:21:28 UTC 2018 - asarai@suse.com diff --git a/docker.spec b/docker.spec index 92f4870..305397c 100644 --- a/docker.spec +++ b/docker.spec @@ -66,6 +66,8 @@ Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173 Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877 +Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -194,6 +196,8 @@ Test package for docker. It contains the source code and the tests. %patch400 -p1 # bsc#1021227 bsc#1029320 bsc#1058173 %patch401 -p1 +# bsc#1073877 +%patch402 -p1 cp %{SOURCE7} . cp %{SOURCE9} .