forked from pool/docker
Accepting request 1116895 from home:cyphar:docker
- Add a patch to fix apparmor on SLE-12, reverting the upstream removal of version-specific templating for the default apparmor profile. bsc#1213500 + 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch OBS-URL: https://build.opensuse.org/request/show/1116895 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=396
This commit is contained in:
parent
f28071cbb5
commit
47539840b4
@ -1,7 +1,7 @@
|
|||||||
From 2dedd52de834525fa533aba7854b91fdc783d821 Mon Sep 17 00:00:00 2001
|
From 2dedd52de834525fa533aba7854b91fdc783d821 Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
||||||
Subject: [PATCH 1/4] SECRETS: daemon: allow directory creation in /run/secrets
|
Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
|
||||||
|
|
||||||
Since FileMode can have the directory bit set, allow a SecretStore
|
Since FileMode can have the directory bit set, allow a SecretStore
|
||||||
implementation to return secrets that are actually directories. This is
|
implementation to return secrets that are actually directories. This is
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From bd4c072521bdee906febc98d81ac092fcad8fc3b Mon Sep 17 00:00:00 2001
|
From bd4c072521bdee906febc98d81ac092fcad8fc3b Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
||||||
Subject: [PATCH 2/4] SECRETS: SUSE: implement SUSE container secrets
|
Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets
|
||||||
|
|
||||||
This allows for us to pass in host credentials to a container, allowing
|
This allows for us to pass in host credentials to a container, allowing
|
||||||
for SUSEConnect to work with containers.
|
for SUSEConnect to work with containers.
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From fd0172ba27352f397ce7ff05d5dd1ec6c80054e5 Mon Sep 17 00:00:00 2001
|
From fd0172ba27352f397ce7ff05d5dd1ec6c80054e5 Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Mon, 22 May 2023 15:44:54 +1000
|
Date: Mon, 22 May 2023 15:44:54 +1000
|
||||||
Subject: [PATCH 3/4] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
|
Subject: [PATCH 3/5] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
|
||||||
headers"
|
headers"
|
||||||
|
|
||||||
This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
|
This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From c19fad9e09248bf390fe9b2cd38f351104f186b8 Mon Sep 17 00:00:00 2001
|
From c19fad9e09248bf390fe9b2cd38f351104f186b8 Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
||||||
Subject: [PATCH 4/4] bsc1073877: apparmor: clobber docker-default profile on
|
Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
|
||||||
start
|
start
|
||||||
|
|
||||||
In the process of making docker-default reloading far less expensive,
|
In the process of making docker-default reloading far less expensive,
|
||||||
|
241
0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
Normal file
241
0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
Normal file
@ -0,0 +1,241 @@
|
|||||||
|
From 69790a375a38aca33a81c9b88aece9a0efd79726 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
|
Date: Wed, 11 Oct 2023 21:19:12 +1100
|
||||||
|
Subject: [PATCH 5/5] SLE12: revert "apparmor: remove version-conditionals from
|
||||||
|
template"
|
||||||
|
|
||||||
|
This reverts the following commits:
|
||||||
|
|
||||||
|
* 7008a514493a ("profiles/apparmor: remove version-conditional constraints (< 2.8.96)")
|
||||||
|
* 2e19a4d56bf2 ("contrib/apparmor: remove version-conditionals (< 2.9) from template")
|
||||||
|
* d169a5730649 ("contrib/apparmor: remove remaining version-conditionals (< 2.9) from template")
|
||||||
|
* ecaab085db4b ("profiles/apparmor: remove use of aaparser.GetVersion()")
|
||||||
|
* e3e715666f95 ("pkg/aaparser: deprecate GetVersion, as it's no longer used")
|
||||||
|
|
||||||
|
These version conditionals are still required on SLE 12, where our
|
||||||
|
apparmor_parser version is quite old.
|
||||||
|
|
||||||
|
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
||||||
|
---
|
||||||
|
contrib/apparmor/main.go | 16 ++++++++++++++--
|
||||||
|
contrib/apparmor/template.go | 16 ++++++++++++++++
|
||||||
|
pkg/aaparser/aaparser.go | 2 --
|
||||||
|
profiles/apparmor/apparmor.go | 14 ++++++++++++--
|
||||||
|
profiles/apparmor/template.go | 4 ++++
|
||||||
|
5 files changed, 46 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
|
||||||
|
index d67890d265de..f4a2978b86cb 100644
|
||||||
|
--- a/contrib/apparmor/main.go
|
||||||
|
+++ b/contrib/apparmor/main.go
|
||||||
|
@@ -6,9 +6,13 @@ import (
|
||||||
|
"os"
|
||||||
|
"path"
|
||||||
|
"text/template"
|
||||||
|
+
|
||||||
|
+ "github.com/docker/docker/pkg/aaparser"
|
||||||
|
)
|
||||||
|
|
||||||
|
-type profileData struct{}
|
||||||
|
+type profileData struct {
|
||||||
|
+ Version int
|
||||||
|
+}
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
if len(os.Args) < 2 {
|
||||||
|
@@ -18,6 +22,15 @@ func main() {
|
||||||
|
// parse the arg
|
||||||
|
apparmorProfilePath := os.Args[1]
|
||||||
|
|
||||||
|
+ version, err := aaparser.GetVersion()
|
||||||
|
+ if err != nil {
|
||||||
|
+ log.Fatal(err)
|
||||||
|
+ }
|
||||||
|
+ data := profileData{
|
||||||
|
+ Version: version,
|
||||||
|
+ }
|
||||||
|
+ fmt.Printf("apparmor_parser is of version %+v\n", data)
|
||||||
|
+
|
||||||
|
// parse the template
|
||||||
|
compiled, err := template.New("apparmor_profile").Parse(dockerProfileTemplate)
|
||||||
|
if err != nil {
|
||||||
|
@@ -35,7 +48,6 @@ func main() {
|
||||||
|
}
|
||||||
|
defer f.Close()
|
||||||
|
|
||||||
|
- data := profileData{}
|
||||||
|
if err := compiled.Execute(f, data); err != nil {
|
||||||
|
log.Fatalf("executing template failed: %v", err)
|
||||||
|
}
|
||||||
|
diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
|
||||||
|
index 58afcbe845ee..e6d0b6d37c58 100644
|
||||||
|
--- a/contrib/apparmor/template.go
|
||||||
|
+++ b/contrib/apparmor/template.go
|
||||||
|
@@ -20,9 +20,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
|
||||||
|
|
||||||
|
umount,
|
||||||
|
pivot_root,
|
||||||
|
+{{if ge .Version 209000}}
|
||||||
|
signal (receive) peer=@{profile_name},
|
||||||
|
signal (receive) peer=unconfined,
|
||||||
|
signal (send),
|
||||||
|
+{{end}}
|
||||||
|
network,
|
||||||
|
capability,
|
||||||
|
owner /** rw,
|
||||||
|
@@ -45,10 +47,12 @@ profile /usr/bin/docker (attach_disconnected, complain) {
|
||||||
|
/etc/ld.so.cache r,
|
||||||
|
/etc/passwd r,
|
||||||
|
|
||||||
|
+{{if ge .Version 209000}}
|
||||||
|
ptrace peer=@{profile_name},
|
||||||
|
ptrace (read) peer=docker-default,
|
||||||
|
deny ptrace (trace) peer=docker-default,
|
||||||
|
deny ptrace peer=/usr/bin/docker///bin/ps,
|
||||||
|
+{{end}}
|
||||||
|
|
||||||
|
/usr/lib/** rm,
|
||||||
|
/lib/** rm,
|
||||||
|
@@ -69,9 +73,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
|
||||||
|
/sbin/zfs rCx,
|
||||||
|
/sbin/apparmor_parser rCx,
|
||||||
|
|
||||||
|
+{{if ge .Version 209000}}
|
||||||
|
# Transitions
|
||||||
|
change_profile -> docker-*,
|
||||||
|
change_profile -> unconfined,
|
||||||
|
+{{end}}
|
||||||
|
|
||||||
|
profile /bin/cat (complain) {
|
||||||
|
/etc/ld.so.cache r,
|
||||||
|
@@ -93,8 +99,10 @@ profile /usr/bin/docker (attach_disconnected, complain) {
|
||||||
|
/dev/null rw,
|
||||||
|
/bin/ps mr,
|
||||||
|
|
||||||
|
+{{if ge .Version 209000}}
|
||||||
|
# We don't need ptrace so we'll deny and ignore the error.
|
||||||
|
deny ptrace (read, trace),
|
||||||
|
+{{end}}
|
||||||
|
|
||||||
|
# Quiet dac_override denials
|
||||||
|
deny capability dac_override,
|
||||||
|
@@ -112,11 +120,15 @@ profile /usr/bin/docker (attach_disconnected, complain) {
|
||||||
|
/proc/tty/drivers r,
|
||||||
|
}
|
||||||
|
profile /sbin/iptables (complain) {
|
||||||
|
+{{if ge .Version 209000}}
|
||||||
|
signal (receive) peer=/usr/bin/docker,
|
||||||
|
+{{end}}
|
||||||
|
capability net_admin,
|
||||||
|
}
|
||||||
|
profile /sbin/auplink flags=(attach_disconnected, complain) {
|
||||||
|
+{{if ge .Version 209000}}
|
||||||
|
signal (receive) peer=/usr/bin/docker,
|
||||||
|
+{{end}}
|
||||||
|
capability sys_admin,
|
||||||
|
capability dac_override,
|
||||||
|
|
||||||
|
@@ -135,7 +147,9 @@ profile /usr/bin/docker (attach_disconnected, complain) {
|
||||||
|
/proc/[0-9]*/mounts rw,
|
||||||
|
}
|
||||||
|
profile /sbin/modprobe /bin/kmod (complain) {
|
||||||
|
+{{if ge .Version 209000}}
|
||||||
|
signal (receive) peer=/usr/bin/docker,
|
||||||
|
+{{end}}
|
||||||
|
capability sys_module,
|
||||||
|
/etc/ld.so.cache r,
|
||||||
|
/lib/** rm,
|
||||||
|
@@ -149,7 +163,9 @@ profile /usr/bin/docker (attach_disconnected, complain) {
|
||||||
|
}
|
||||||
|
# xz works via pipes, so we do not need access to the filesystem.
|
||||||
|
profile /usr/bin/xz (complain) {
|
||||||
|
+{{if ge .Version 209000}}
|
||||||
|
signal (receive) peer=/usr/bin/docker,
|
||||||
|
+{{end}}
|
||||||
|
/etc/ld.so.cache r,
|
||||||
|
/lib/** rm,
|
||||||
|
/usr/bin/xz rm,
|
||||||
|
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
|
||||||
|
index 3d7c2c5a97b3..2b5a2605f9c1 100644
|
||||||
|
--- a/pkg/aaparser/aaparser.go
|
||||||
|
+++ b/pkg/aaparser/aaparser.go
|
||||||
|
@@ -13,8 +13,6 @@ const (
|
||||||
|
)
|
||||||
|
|
||||||
|
// GetVersion returns the major and minor version of apparmor_parser.
|
||||||
|
-//
|
||||||
|
-// Deprecated: no longer used, and will be removed in the next release.
|
||||||
|
func GetVersion() (int, error) {
|
||||||
|
output, err := cmd("", "--version")
|
||||||
|
if err != nil {
|
||||||
|
diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
|
||||||
|
index d0f236160506..b3566b2f7354 100644
|
||||||
|
--- a/profiles/apparmor/apparmor.go
|
||||||
|
+++ b/profiles/apparmor/apparmor.go
|
||||||
|
@@ -14,8 +14,10 @@ import (
|
||||||
|
"github.com/docker/docker/pkg/aaparser"
|
||||||
|
)
|
||||||
|
|
||||||
|
-// profileDirectory is the file store for apparmor profiles and macros.
|
||||||
|
-const profileDirectory = "/etc/apparmor.d"
|
||||||
|
+var (
|
||||||
|
+ // profileDirectory is the file store for apparmor profiles and macros.
|
||||||
|
+ profileDirectory = "/etc/apparmor.d"
|
||||||
|
+)
|
||||||
|
|
||||||
|
// profileData holds information about the given profile for generation.
|
||||||
|
type profileData struct {
|
||||||
|
@@ -27,6 +29,8 @@ type profileData struct {
|
||||||
|
Imports []string
|
||||||
|
// InnerImports defines the apparmor functions to import in the profile.
|
||||||
|
InnerImports []string
|
||||||
|
+ // Version is the {major, minor, patch} version of apparmor_parser as a single number.
|
||||||
|
+ Version int
|
||||||
|
}
|
||||||
|
|
||||||
|
// generateDefault creates an apparmor profile from ProfileData.
|
||||||
|
@@ -46,6 +50,12 @@ func (p *profileData) generateDefault(out io.Writer) error {
|
||||||
|
p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
|
||||||
|
}
|
||||||
|
|
||||||
|
+ ver, err := aaparser.GetVersion()
|
||||||
|
+ if err != nil {
|
||||||
|
+ return err
|
||||||
|
+ }
|
||||||
|
+ p.Version = ver
|
||||||
|
+
|
||||||
|
return compiled.Execute(out, p)
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
|
||||||
|
index 5dcf35bf45c7..ed5892a7f6bd 100644
|
||||||
|
--- a/profiles/apparmor/template.go
|
||||||
|
+++ b/profiles/apparmor/template.go
|
||||||
|
@@ -24,12 +24,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||||
|
capability,
|
||||||
|
file,
|
||||||
|
umount,
|
||||||
|
+{{if ge .Version 208096}}
|
||||||
|
# Host (privileged) processes may send signals to container processes.
|
||||||
|
signal (receive) peer=unconfined,
|
||||||
|
# dockerd may send signals to container processes (for "docker kill").
|
||||||
|
signal (receive) peer={{.DaemonProfile}},
|
||||||
|
# Container processes may send signals amongst themselves.
|
||||||
|
signal (send,receive) peer={{.Name}},
|
||||||
|
+{{end}}
|
||||||
|
|
||||||
|
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
||||||
|
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
||||||
|
@@ -49,7 +51,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||||
|
deny /sys/firmware/** rwklx,
|
||||||
|
deny /sys/kernel/security/** rwklx,
|
||||||
|
|
||||||
|
+{{if ge .Version 208095}}
|
||||||
|
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
|
||||||
|
ptrace (trace,read,tracedby,readby) peer={{.Name}},
|
||||||
|
+{{end}}
|
||||||
|
}
|
||||||
|
`
|
||||||
|
--
|
||||||
|
2.42.0
|
||||||
|
|
@ -1,3 +1,15 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 11 10:32:43 UTC 2023 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
- Add a patch to fix apparmor on SLE-12, reverting the upstream removal of
|
||||||
|
version-specific templating for the default apparmor profile. bsc#1213500
|
||||||
|
+ 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
||||||
|
- Rebase patches:
|
||||||
|
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||||
|
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||||
|
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
||||||
|
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Sep 14 01:46:30 UTC 2023 - Aleksa Sarai <asarai@suse.com>
|
Thu Sep 14 01:46:30 UTC 2023 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
@ -67,7 +67,9 @@ Patch101: 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
|||||||
# UPSTREAM: Revert of upstream patch to keep SLE-12 build working.
|
# UPSTREAM: Revert of upstream patch to keep SLE-12 build working.
|
||||||
Patch200: 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
Patch200: 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
||||||
# UPSTREAM: Backport of <https://github.com/moby/moby/pull/41954>.
|
# UPSTREAM: Backport of <https://github.com/moby/moby/pull/41954>.
|
||||||
Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
Patch201: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||||
|
# UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12.
|
||||||
|
Patch202: 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
||||||
# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
|
# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
|
||||||
Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch
|
Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch
|
||||||
BuildRequires: audit
|
BuildRequires: audit
|
||||||
@ -215,7 +217,9 @@ cp %{SOURCE130} .
|
|||||||
%patch200 -p1
|
%patch200 -p1
|
||||||
%endif
|
%endif
|
||||||
# bsc#1099277
|
# bsc#1099277
|
||||||
%patch300 -p1
|
%patch201 -p1
|
||||||
|
# Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
|
||||||
|
%patch202 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf
|
%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf
|
||||||
|
Loading…
Reference in New Issue
Block a user