pool/docker
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
570a2ef161
docker/fix-apparmor.patch

111 lines
3.5 KiB
Diff
Raw Blame History

diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
index 25f6e8c..2b15e1d 100644
--- a/contrib/apparmor/main.go
+++ b/contrib/apparmor/main.go
@@ -13,6 +13,7 @@ import (
type profileData struct {
MajorVersion int
MinorVersion int
+ PatchLevel int
}
func main() {
@@ -23,13 +24,14 @@ func main() {
// parse the arg
apparmorProfilePath := os.Args[1]
- majorVersion, minorVersion, err := aaparser.GetVersion()
+ majorVersion, minorVersion, patchLevel, err := aaparser.GetVersion()
if err != nil {
log.Fatal(err)
}
data := profileData{
MajorVersion: majorVersion,
MinorVersion: minorVersion,
+ PatchLevel: patchLevel,
}
fmt.Printf("apparmor_parser is of version %+v\n", data)
diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go
index 5bbfef6..33859fd 100644
--- a/daemon/execdriver/native/apparmor.go
+++ b/daemon/execdriver/native/apparmor.go
@@ -27,6 +27,7 @@ type data struct {
InnerImports []string
MajorVersion int
MinorVersion int
+ PatchLevel int
}
const baseTemplate = `
@@ -64,10 +65,13 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}
+{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}{{if ge .PatchLevel 95}}
+ # apparmor-2.8.95 is Ubuntu 14.04 LTS (Trusty Tahr)
+ # apparmor-2.8.95 is apparmor-2.9 beta, which supports ptrace rule
+ # other apparmor-2.8 versions do not support this rule
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
ptrace (trace,read) peer=docker-default,
-{{end}}{{end}}
+{{end}}{{end}}{{end}}
{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
# docker daemon confinement requires explict allow rule for signal
signal (receive) set=(kill,term) peer={{.ExecPath}},
@@ -91,7 +95,7 @@ func generateProfile(out io.Writer) error {
if abstractionsExists() {
data.InnerImports = append(data.InnerImports, "#include <abstractions/base>")
}
- data.MajorVersion, data.MinorVersion, err = aaparser.GetVersion()
+ data.MajorVersion, data.MinorVersion, data.PatchLevel, err = aaparser.GetVersion()
if err != nil {
return err
}
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
index 23dda99..a2f2f58 100644
--- a/pkg/aaparser/aaparser.go
+++ b/pkg/aaparser/aaparser.go
@@ -8,8 +8,8 @@ import (
"strings"
)
-// GetVersion returns the major and minor version of apparmor_parser
-func GetVersion() (int, int, error) {
+// GetVersion returns the major, minor and patch level version of apparmor_parser
+func GetVersion() (int, int, int, error) {
// get the apparmor_version version
cmd := exec.Command("apparmor_parser", "--version")
@@ -29,17 +29,25 @@ func GetVersion() (int, int, error) {
// split by major minor version
v := strings.Split(version, ".")
if len(v) < 2 {
- return -1, -1, fmt.Errorf("parsing major minor version failed for %q", version)
+ return -1, -1, -1, fmt.Errorf("parsing major minor and patch level version failed for %q", version)
}
majorVersion, err := strconv.Atoi(v[0])
if err != nil {
- return -1, -1, err
+ return -1, -1, -1, err
}
minorVersion, err := strconv.Atoi(v[1])
if err != nil {
- return -1, -1, err
+ return -1, -1, -1, err
}
- return majorVersion, minorVersion, nil
+ patchLevel := 0
+
+ if len(v) == 3 {
+ patchLevel, err = strconv.Atoi(v[2])
+ if err != nil {
+ return -1, -1, -1, err
+ }
+ }
+ return majorVersion, minorVersion, patchLevel, nil
}
Reference in New Issue View Git Blame Copy Permalink