diff --git a/docker.changes b/docker.changes index d45c660..ebf8005 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Sep 12 13:21:40 UTC 2014 - cbosdonnat@suse.com + +- Generated AppArmor profile used mount rules which aren't supported + in our version of AppArmor. libcontainer-apparmor-fixes.patch + ------------------------------------------------------------------- Thu Sep 4 15:41:39 UTC 2014 - fcastelli@suse.com diff --git a/docker.spec b/docker.spec index 6530734..6500a65 100644 --- a/docker.spec +++ b/docker.spec @@ -33,6 +33,8 @@ Source5: docker.socket Source6: docker-rpmlintrc Source7: README_SUSE.md Patch0: 0002-Stripped-dockerinit-binary.patch +# PATCH-FIX-OPENSUSE libcontainer-apparmor-fixes.patch -- mount rules aren't supported in our apparmor +Patch1: libcontainer-apparmor-fixes.patch BuildRequires: bash-completion BuildRequires: device-mapper-devel >= 1.2.68 BuildRequires: glibc-devel-static @@ -91,6 +93,7 @@ Zsh command line completion support for %{name}. %prep %setup -q -n docker %patch0 -p1 +%patch1 -p1 cp %{SOURCE7} . %build diff --git a/libcontainer-apparmor-fixes.patch b/libcontainer-apparmor-fixes.patch new file mode 100644 index 0000000..ddb8a82 --- /dev/null +++ b/libcontainer-apparmor-fixes.patch @@ -0,0 +1,34 @@ +Index: docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go +=================================================================== +--- docker.orig/vendor/src/github.com/docker/libcontainer/apparmor/gen.go ++++ docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go +@@ -25,18 +25,6 @@ profile {{.Name}} flags=(attach_disconne + network, + capability, + file, +- umount, +- +- mount fstype=tmpfs, +- mount fstype=mqueue, +- mount fstype=fuse.*, +- mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, +- mount fstype=efivarfs -> /sys/firmware/efi/efivars/, +- mount fstype=fusectl -> /sys/fs/fuse/connections/, +- mount fstype=securityfs -> /sys/kernel/security/, +- mount fstype=debugfs -> /sys/kernel/debug/, +- mount fstype=proc -> /proc/, +- mount fstype=sysfs -> /sys/, + + deny @{PROC}/sys/fs/** wklx, + deny @{PROC}/sysrq-trigger rwklx, +@@ -45,10 +33,6 @@ profile {{.Name}} flags=(attach_disconne + deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, + deny @{PROC}/sys/kernel/*/** wklx, + +- deny mount options=(ro, remount) -> /, +- deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, +- deny mount fstype=devpts, +- + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx,