rpm/docker
SHA256
1
0
Fork 0
forked from pool/docker
Code Pull Requests Activity
c9962818ba
docker/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch

32 lines
1.2 KiB
Diff
Raw Normal View History

Accepting request 595152 from home:cyphar:containers:apparmor - Add patch to handle AppArmor changes that make 'docker kill' stop working. bsc#1073877 + bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch OBS-URL: https://build.opensuse.org/request/show/595152 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=241
2018-04-12 16:45:14 +02:00
From c11493737b4a5ffd59d635650f3a0d45f220ad2b Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 8 Apr 2018 20:21:30 +1000
Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill'
In newer kernels, AppArmor will reject attempts to send signals to a
container because the signal originated from outside of that AppArmor
profile. Correct this by allowing all unconfined signals to be received.
SUSE-Bug: bsc#1073877
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/profiles/apparmor/template.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
index c5ea4584de6b..4830ac440645 100644
--- a/components/engine/profiles/apparmor/template.go
+++ b/components/engine/profiles/apparmor/template.go
@@ -17,6 +17,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
capability,
file,
umount,
+ signal (receive) peer=unconfined,
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
--
2.16.3
Copy Permalink