forked from pool/docker
9e5d7d7464
https://github.com/docker/docker-ce/releases/tag/v18.06.1-ce bsc#1102522 - Remove patches that were merged upstream: - bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=262
37 lines
1.4 KiB
Diff
37 lines
1.4 KiB
Diff
From 3464bd58d266b0640774952e825558044ffc64e2 Mon Sep 17 00:00:00 2001
|
|
From: Aleksa Sarai <asarai@suse.de>
|
|
Date: Sun, 8 Apr 2018 20:21:30 +1000
|
|
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
|
|
|
|
In newer kernels, AppArmor will reject attempts to send signals to a
|
|
container because the signal originated from outside of that AppArmor
|
|
profile. Correct this by allowing all unconfined signals to be received.
|
|
|
|
SUSE-Bugs: bsc#1073877 boo#1089732
|
|
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
---
|
|
components/engine/profiles/apparmor/template.go | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
|
|
index c00a3f70e993..772c4a4873f6 100644
|
|
--- a/components/engine/profiles/apparmor/template.go
|
|
+++ b/components/engine/profiles/apparmor/template.go
|
|
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
|
capability,
|
|
file,
|
|
umount,
|
|
+{{if ge .Version 208096}}
|
|
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
|
|
+ signal (receive) peer=unconfined,
|
|
+{{/* And allow signals to be sent inside the container. */}}
|
|
+ signal (send,receive) peer={{.Name}},
|
|
+{{end}}
|
|
|
|
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
|
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
|
--
|
|
2.18.0
|
|
|