pool/docker
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 598552 from Virtualization:containers

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/598552
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=73
This commit is contained in:
Dominique Leuenberger 2018-04-22 12:35:27 +00:00 committed by Git OBS Bridge
commit f556da197a
2 changed files with 16 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
View File

@ -1,4 +1,4 @@
From c11493737b4a5ffd59d635650f3a0d45f220ad2b Mon Sep 17 00:00:00 2001 From fb59d17b2617ebee34f91786428f63571a19bb74 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 8 Apr 2018 20:21:30 +1000 Date: Sun, 8 Apr 2018 20:21:30 +1000
Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill' Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill'
@ -7,22 +7,25 @@ In newer kernels, AppArmor will reject attempts to send signals to a
container because the signal originated from outside of that AppArmor container because the signal originated from outside of that AppArmor
profile. Correct this by allowing all unconfined signals to be received. profile. Correct this by allowing all unconfined signals to be received.
SUSE-Bug: bsc#1073877 SUSE-Bugs: bsc#1073877 boo#1089732
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com> Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de> Signed-off-by: Aleksa Sarai <asarai@suse.de>
--- ---
components/engine/profiles/apparmor/template.go | 1 + components/engine/profiles/apparmor/template.go | 4 ++++
1 file changed, 1 insertion(+) 1 file changed, 4 insertions(+)
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
index c5ea4584de6b..4830ac440645 100644 index c5ea4584de6b..47c1b0659a15 100644
--- a/components/engine/profiles/apparmor/template.go --- a/components/engine/profiles/apparmor/template.go
+++ b/components/engine/profiles/apparmor/template.go +++ b/components/engine/profiles/apparmor/template.go
@@ -17,6 +17,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { @@ -17,6 +17,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
capability, capability,
file, file,
umount, umount,
+{{if ge .Version 208096}}
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
+ signal (receive) peer=unconfined, + signal (receive) peer=unconfined,
+{{end}}
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/** # deny write to files not in /proc/<number>/** or /proc/sys/**

7
docker.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Apr 19 11:23:32 UTC 2018 - asarai@suse.com
- Fix up the AppArmor 'docker kill' patch to work on older AppArmor versions.
boo#1089732
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Apr 10 09:25:43 UTC 2018 - asarai@suse.com Tue Apr 10 09:25:43 UTC 2018 - asarai@suse.com