fix-apparmor.patch: fix https://github.com/docker/docker/issues/20269 . It affects SLE12 which has apparmor

version 2.8 and not openSUSE which has version 2.9. OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=71
2016-02-12 12:52:19 +00:00 · 2016-02-12 12:52:19 +00:00 · fce327c0ca
commit fce327c0ca
parent c9ddc4fd37
3 changed files with 114 additions and 0 deletions
--- a/docker.changes
+++ b/docker.changes
@ -31,6 +31,8 @@ https://github.com/docker/docker/blob/590d5108bbdaabb05af590f76c9757daceb6d02e/C
      Thus, we need to workaround the workaround in tumbleweed
    netlink_gcc_go.patch: add constants for syscalls TUNSETIFF and TUNSETPERSIST to fix a gcc issue.
      This is a workaround for bnc#964468: gcc-go can no longer compile Docker.
+    fix-apparmor.patch: fix https://github.com/docker/docker/issues/20269 . It affects SLE12 which has apparmor
+      version 2.8 and not openSUSE which has version 2.9.

 - reviewed patches:
    ignore-dockerinit-checksum.patch: review context in patch
--- a/docker.spec
+++ b/docker.spec
@ -44,6 +44,7 @@ Source100:      sysconfig.docker.ppc64le
 Patch0:         fix_platform_type_arm.patch
 Patch1:         gcc5_socket_workaround.patch
 Patch2:         fix-docker-init.patch
+Patch3:         fix-apparmor.patch
 # Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
 # Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time
 # We cannot do that, right now a quick and really dirty way to get it running is
@ -157,6 +158,7 @@ Test package for docker. It contains the source code and the tests.
 %patch1 -p1
 %endif
 %patch2 -p1
+%patch3 -p1
 %ifnarch %go_arches
 %patch101 -p1
 %patch108 -p1
--- a/fix-apparmor.patch
+++ b/fix-apparmor.patch
@ -0,0 +1,110 @@
+diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
+index 25f6e8c..2b15e1d 100644
+--- a/contrib/apparmor/main.go
+++ b/contrib/apparmor/main.go
+@@ -13,6 +13,7 @@ import (
+ type profileData struct {
+ 	MajorVersion int
+ 	MinorVersion int
+	PatchLevel   int
+ }
+ 
+ func main() {
+@@ -23,13 +24,14 @@ func main() {
+ 	// parse the arg
+ 	apparmorProfilePath := os.Args[1]
+ 
+-	majorVersion, minorVersion, err := aaparser.GetVersion()
+	majorVersion, minorVersion, patchLevel, err := aaparser.GetVersion()
+ 	if err != nil {
+ 		log.Fatal(err)
+ 	}
+ 	data := profileData{
+ 		MajorVersion: majorVersion,
+ 		MinorVersion: minorVersion,
+		PatchLevel:   patchLevel,
+ 	}
+ 	fmt.Printf("apparmor_parser is of version %+v\n", data)
+ 
+diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go
+index 5bbfef6..33859fd 100644
+--- a/daemon/execdriver/native/apparmor.go
+++ b/daemon/execdriver/native/apparmor.go
+@@ -27,6 +27,7 @@ type data struct {
+ 	InnerImports []string
+ 	MajorVersion int
+ 	MinorVersion int
+	PatchLevel   int
+ }
+ 
+ const baseTemplate = `
+@@ -64,10 +65,13 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+   deny /sys/firmware/efi/efivars/** rwklx,
+   deny /sys/kernel/security/** rwklx,
+ 
+-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}
+{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}{{if ge .PatchLevel 95}}
+  # apparmor-2.8.95 is Ubuntu 14.04 LTS (Trusty Tahr)
+	# apparmor-2.8.95 is apparmor-2.9 beta, which supports ptrace rule
+	# other apparmor-2.8 versions do not support this rule
+   # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+   ptrace (trace,read) peer=docker-default,
+-{{end}}{{end}}
+{{end}}{{end}}{{end}}
+ {{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+   # docker daemon confinement requires explict allow rule for signal
+   signal (receive) set=(kill,term) peer={{.ExecPath}},
+@@ -91,7 +95,7 @@ func generateProfile(out io.Writer) error {
+ 	if abstractionsExists() {
+ 		data.InnerImports = append(data.InnerImports, "#include <abstractions/base>")
+ 	}
+-	data.MajorVersion, data.MinorVersion, err = aaparser.GetVersion()
+	data.MajorVersion, data.MinorVersion, data.PatchLevel, err = aaparser.GetVersion()
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
+index 23dda99..a2f2f58 100644
+--- a/pkg/aaparser/aaparser.go
+++ b/pkg/aaparser/aaparser.go
+@@ -8,8 +8,8 @@ import (
+ 	"strings"
+ )
+ 
+-// GetVersion returns the major and minor version of apparmor_parser
+-func GetVersion() (int, int, error) {
+// GetVersion returns the major, minor and patch level version of apparmor_parser
+func GetVersion() (int, int, int, error) {
+ 	// get the apparmor_version version
+ 	cmd := exec.Command("apparmor_parser", "--version")
+ 
+@@ -29,17 +29,25 @@ func GetVersion() (int, int, error) {
+ 	// split by major minor version
+ 	v := strings.Split(version, ".")
+ 	if len(v) < 2 {
+-		return -1, -1, fmt.Errorf("parsing major minor version failed for %q", version)
+		return -1, -1, -1, fmt.Errorf("parsing major minor and patch level version failed for %q", version)
+ 	}
+ 
+ 	majorVersion, err := strconv.Atoi(v[0])
+ 	if err != nil {
+-		return -1, -1, err
+		return -1, -1, -1, err
+ 	}
+ 	minorVersion, err := strconv.Atoi(v[1])
+ 	if err != nil {
+-		return -1, -1, err
+		return -1, -1, -1, err
+ 	}
+ 
+-	return majorVersion, minorVersion, nil
+	patchLevel := 0
+
+	if len(v) == 3 {
+		patchLevel, err = strconv.Atoi(v[2])
+		if err != nil {
+			return -1, -1, -1, err
+		}
+	}
+	return majorVersion, minorVersion, patchLevel, nil
+ }