forked from pool/docker
Accepting request 619741 from home:cyphar:docker_apparmor
- Update the AppArmor patchset again to fix a separate issue where changed AppArmor profiles don't actually get applied on Docker daemon reboot. bsc#1099277 * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch OBS-URL: https://build.opensuse.org/request/show/619741 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=254
This commit is contained in:
parent
b71d7ce544
commit
b7f9caccb8
@ -1,7 +1,7 @@
|
|||||||
From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001
|
From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Sun, 8 Apr 2018 20:21:30 +1000
|
Date: Sun, 8 Apr 2018 20:21:30 +1000
|
||||||
Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill'
|
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
|
||||||
|
|
||||||
In newer kernels, AppArmor will reject attempts to send signals to a
|
In newer kernels, AppArmor will reject attempts to send signals to a
|
||||||
container because the signal originated from outside of that AppArmor
|
container because the signal originated from outside of that AppArmor
|
||||||
@ -32,5 +32,5 @@ index c5ea4584de6b..082638e85903 100644
|
|||||||
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
||||||
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
||||||
--
|
--
|
||||||
2.16.3
|
2.17.1
|
||||||
|
|
||||||
|
@ -0,0 +1,87 @@
|
|||||||
|
From 8edc54753ab5ea9294c55ec32b49c9eb7cdf3892 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
|
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
||||||
|
Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start
|
||||||
|
|
||||||
|
In the process of making docker-default reloading far less expensive,
|
||||||
|
567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor
|
||||||
|
profiles") mistakenly made the initial profile load at dockerd start-up
|
||||||
|
lazy. As a result, if you have a running Docker daemon and upgrade it to
|
||||||
|
a new one with an updated AppArmor profile the new profile will not take
|
||||||
|
effect (because the old one is still loaded). The fix for this is quite
|
||||||
|
trivial, and just requires us to clobber the profile on start-up.
|
||||||
|
|
||||||
|
Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles")
|
||||||
|
SUSE-Bugs: bsc#1099277
|
||||||
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
|
---
|
||||||
|
components/engine/daemon/apparmor_default.go | 14 ++++++++++----
|
||||||
|
.../engine/daemon/apparmor_default_unsupported.go | 4 ++++
|
||||||
|
components/engine/daemon/daemon.go | 4 +++-
|
||||||
|
3 files changed, 17 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go
|
||||||
|
index 2a418b25c241..c3e271ee4774 100644
|
||||||
|
--- a/components/engine/daemon/apparmor_default.go
|
||||||
|
+++ b/components/engine/daemon/apparmor_default.go
|
||||||
|
@@ -14,6 +14,15 @@ const (
|
||||||
|
defaultApparmorProfile = "docker-default"
|
||||||
|
)
|
||||||
|
|
||||||
|
+func clobberDefaultAppArmorProfile() error {
|
||||||
|
+ if apparmor.IsEnabled() {
|
||||||
|
+ if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil {
|
||||||
|
+ return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err)
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return nil
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
func ensureDefaultAppArmorProfile() error {
|
||||||
|
if apparmor.IsEnabled() {
|
||||||
|
loaded, err := aaprofile.IsLoaded(defaultApparmorProfile)
|
||||||
|
@@ -27,10 +36,7 @@ func ensureDefaultAppArmorProfile() error {
|
||||||
|
}
|
||||||
|
|
||||||
|
// Load the profile.
|
||||||
|
- if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil {
|
||||||
|
- return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err)
|
||||||
|
- }
|
||||||
|
+ return clobberDefaultAppArmorProfile()
|
||||||
|
}
|
||||||
|
-
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go
|
||||||
|
index cd2dd9702ef2..17584063c711 100644
|
||||||
|
--- a/components/engine/daemon/apparmor_default_unsupported.go
|
||||||
|
+++ b/components/engine/daemon/apparmor_default_unsupported.go
|
||||||
|
@@ -2,6 +2,10 @@
|
||||||
|
|
||||||
|
package daemon
|
||||||
|
|
||||||
|
+func clobberDefaultAppArmorProfile() error {
|
||||||
|
+ return nil
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
func ensureDefaultAppArmorProfile() error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
|
||||||
|
index a11a1f8691cc..6f8846b19f57 100644
|
||||||
|
--- a/components/engine/daemon/daemon.go
|
||||||
|
+++ b/components/engine/daemon/daemon.go
|
||||||
|
@@ -594,7 +594,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
|
||||||
|
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
- if err := ensureDefaultAppArmorProfile(); err != nil {
|
||||||
|
+ // Make sure we clobber any pre-existing docker-default profile to ensure
|
||||||
|
+ // that upgrades to the profile actually work smoothly.
|
||||||
|
+ if err := clobberDefaultAppArmorProfile(); err != nil {
|
||||||
|
logrus.Errorf(err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
@ -1,3 +1,12 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jun 29 08:35:56 UTC 2018 - asarai@suse.com
|
||||||
|
|
||||||
|
- Update the AppArmor patchset again to fix a separate issue where changed
|
||||||
|
AppArmor profiles don't actually get applied on Docker daemon reboot.
|
||||||
|
bsc#1099277
|
||||||
|
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
||||||
|
+ bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Jun 13 10:19:23 UTC 2018 - dcassany@suse.com
|
Wed Jun 13 10:19:23 UTC 2018 - dcassany@suse.com
|
||||||
|
|
||||||
|
@ -68,6 +68,8 @@ Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespa
|
|||||||
Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
|
Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
|
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
|
||||||
Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
||||||
|
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277
|
||||||
|
Patch403: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
||||||
BuildRequires: audit
|
BuildRequires: audit
|
||||||
BuildRequires: bash-completion
|
BuildRequires: bash-completion
|
||||||
BuildRequires: ca-certificates
|
BuildRequires: ca-certificates
|
||||||
@ -198,6 +200,8 @@ Test package for docker. It contains the source code and the tests.
|
|||||||
%patch401 -p1
|
%patch401 -p1
|
||||||
# bsc#1073877
|
# bsc#1073877
|
||||||
%patch402 -p1
|
%patch402 -p1
|
||||||
|
# bsc#1099277
|
||||||
|
%patch403 -p1
|
||||||
|
|
||||||
cp %{SOURCE7} .
|
cp %{SOURCE7} .
|
||||||
cp %{SOURCE9} .
|
cp %{SOURCE9} .
|
||||||
|
Loading…
Reference in New Issue
Block a user