rpm/docker
SHA256
1
0
Fork 0
forked from pool/docker
Code Pull Requests Activity

Accepting request 614826 from home:cyphar:containers:apparmor_fixup_bsc1073877

Browse Source 
- Update to AppArmor patch so that signal mediation also works for signals
  between in-container processes. bsc#1073877
  * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch

OBS-URL: https://build.opensuse.org/request/show/614826
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=250
This commit is contained in:
Valentin Rothberg 2018-06-07 06:25:06 +00:00 committed by Git OBS Bridge
parent 92f6adde7d
commit 83153bc279
2 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
View File

@ -1,4 +1,4 @@
From fb59d17b2617ebee34f91786428f63571a19bb74 Mon Sep 17 00:00:00 2001 From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 8 Apr 2018 20:21:30 +1000 Date: Sun, 8 Apr 2018 20:21:30 +1000
Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill' Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill'
@ -11,20 +11,22 @@ SUSE-Bugs: bsc#1073877 boo#1089732
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com> Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de> Signed-off-by: Aleksa Sarai <asarai@suse.de>
--- ---
components/engine/profiles/apparmor/template.go | 4 ++++ components/engine/profiles/apparmor/template.go | 6 ++++++
1 file changed, 4 insertions(+) 1 file changed, 6 insertions(+)
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
index c5ea4584de6b..47c1b0659a15 100644 index c5ea4584de6b..082638e85903 100644
--- a/components/engine/profiles/apparmor/template.go --- a/components/engine/profiles/apparmor/template.go
+++ b/components/engine/profiles/apparmor/template.go +++ b/components/engine/profiles/apparmor/template.go
@@ -17,6 +17,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { @@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
capability, capability,
file, file,
umount, umount,
+{{if ge .Version 208096}} +{{if ge .Version 208096}}
+{{/* Allow 'docker kill' to actually send signals to container processes. */}} +{{/* Allow 'docker kill' to actually send signals to container processes. */}}
+ signal (receive) peer=unconfined, + signal (receive) peer=unconfined,
+{{/* And allow signals to be sent inside the container. */}}
+ signal (send,receive) peer={{.Name}},
+{{end}} +{{end}}
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)

7
docker.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Jun 5 11:24:35 UTC 2018 - asarai@suse.com
- Update to AppArmor patch so that signal mediation also works for signals
between in-container processes. bsc#1073877
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jun 5 06:38:40 UTC 2018 - asarai@suse.com Tue Jun 5 06:38:40 UTC 2018 - asarai@suse.com