From 4962b0a0bc6ca1fc99b0936175f929f9d3f5fa4c Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sun, 8 Apr 2018 20:21:30 +1000 Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill' In newer kernels, AppArmor will reject attempts to send signals to a container because the signal originated from outside of that AppArmor profile. Correct this by allowing all unconfined signals to be received. Signed-off-by: Goldwyn Rodrigues Signed-off-by: Aleksa Sarai --- .../engine/profiles/apparmor/apparmor.go | 21 +++++++++++++++++++ .../engine/profiles/apparmor/template.go | 6 ++++++ 2 files changed, 27 insertions(+) diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go index b021668c8e4c..2f58ee852cab 100644 --- a/components/engine/profiles/apparmor/apparmor.go +++ b/components/engine/profiles/apparmor/apparmor.go @@ -23,6 +23,8 @@ var ( type profileData struct { // Name is profile name. Name string + // DaemonProfile is the profile name of our daemon. + DaemonProfile string // Imports defines the apparmor functions to import, before defining the profile. Imports []string // InnerImports defines the apparmor functions to import in the profile. @@ -70,6 +72,25 @@ func InstallDefault(name string) error { Name: name, } + // Figure out the daemon profile. + currentProfile, err := ioutil.ReadFile("/proc/self/attr/current") + if err != nil { + // If we couldn't get the daemon profile, assume we are running + // unconfined which is generally the default. + currentProfile = nil + } + daemonProfile := string(currentProfile) + // Normally profiles are suffixed by " (enforcing)" or similar. AppArmor + // profiles cannot contain spaces so this doesn't restrict daemon profile + // names. + if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 { + daemonProfile = parts[0] + } + if daemonProfile == "" { + daemonProfile = "unconfined" + } + p.DaemonProfile = daemonProfile + // Install to a temporary directory. f, err := ioutil.TempFile("", name) if err != nil { diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go index c00a3f70e993..400b3bd50a11 100644 --- a/components/engine/profiles/apparmor/template.go +++ b/components/engine/profiles/apparmor/template.go @@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { capability, file, umount, +{{if ge .Version 208096}} +{{/* Allow 'docker kill' to actually send signals to container processes. */}} + signal (receive) peer={{.DaemonProfile}}, +{{/* Allow container processes to send signals amongst themselves. */}} + signal (send,receive) peer={{.Name}}, +{{end}} deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc//** or /proc/sys/** -- 2.19.1