diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go index 25f6e8c..2b15e1d 100644 --- a/contrib/apparmor/main.go +++ b/contrib/apparmor/main.go @@ -13,6 +13,7 @@ import ( type profileData struct { MajorVersion int MinorVersion int + PatchLevel int } func main() { @@ -23,13 +24,14 @@ func main() { // parse the arg apparmorProfilePath := os.Args[1] - majorVersion, minorVersion, err := aaparser.GetVersion() + majorVersion, minorVersion, patchLevel, err := aaparser.GetVersion() if err != nil { log.Fatal(err) } data := profileData{ MajorVersion: majorVersion, MinorVersion: minorVersion, + PatchLevel: patchLevel, } fmt.Printf("apparmor_parser is of version %+v\n", data) diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go index 5bbfef6..33859fd 100644 --- a/daemon/execdriver/native/apparmor.go +++ b/daemon/execdriver/native/apparmor.go @@ -27,6 +27,7 @@ type data struct { InnerImports []string MajorVersion int MinorVersion int + PatchLevel int } const baseTemplate = ` @@ -64,10 +65,13 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, -{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}} +{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}{{if ge .PatchLevel 95}} + # apparmor-2.8.95 is Ubuntu 14.04 LTS (Trusty Tahr) + # apparmor-2.8.95 is apparmor-2.9 beta, which supports ptrace rule + # other apparmor-2.8 versions do not support this rule # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, -{{end}}{{end}} +{{end}}{{end}}{{end}} {{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer={{.ExecPath}}, @@ -91,7 +95,7 @@ func generateProfile(out io.Writer) error { if abstractionsExists() { data.InnerImports = append(data.InnerImports, "#include ") } - data.MajorVersion, data.MinorVersion, err = aaparser.GetVersion() + data.MajorVersion, data.MinorVersion, data.PatchLevel, err = aaparser.GetVersion() if err != nil { return err } diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go index 23dda99..a2f2f58 100644 --- a/pkg/aaparser/aaparser.go +++ b/pkg/aaparser/aaparser.go @@ -8,8 +8,8 @@ import ( "strings" ) -// GetVersion returns the major and minor version of apparmor_parser -func GetVersion() (int, int, error) { +// GetVersion returns the major, minor and patch level version of apparmor_parser +func GetVersion() (int, int, int, error) { // get the apparmor_version version cmd := exec.Command("apparmor_parser", "--version") @@ -29,17 +29,25 @@ func GetVersion() (int, int, error) { // split by major minor version v := strings.Split(version, ".") if len(v) < 2 { - return -1, -1, fmt.Errorf("parsing major minor version failed for %q", version) + return -1, -1, -1, fmt.Errorf("parsing major minor and patch level version failed for %q", version) } majorVersion, err := strconv.Atoi(v[0]) if err != nil { - return -1, -1, err + return -1, -1, -1, err } minorVersion, err := strconv.Atoi(v[1]) if err != nil { - return -1, -1, err + return -1, -1, -1, err } - return majorVersion, minorVersion, nil + patchLevel := 0 + + if len(v) == 3 { + patchLevel, err = strconv.Atoi(v[2]) + if err != nil { + return -1, -1, -1, err + } + } + return majorVersion, minorVersion, patchLevel, nil }