1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
From 4822fb1e2423d88cdf0ad5d039b8fd3274b05401 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 8 Apr 2018 20:21:30 +1000
Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill'
In newer kernels, AppArmor will reject attempts to send signals to a
container because the signal originated from outside of that AppArmor
profile. Correct this by allowing all unconfined signals to be received.
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
profiles/apparmor/apparmor.go | 21 +++++++++++++++++++++
profiles/apparmor/template.go | 6 ++++++
2 files changed, 27 insertions(+)
diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go
index b021668c8e4c..2f58ee852cab 100644
--- a/components/engine/profiles/apparmor/apparmor.go
+++ b/components/engine/profiles/apparmor/apparmor.go
@@ -23,6 +23,8 @@ var (
type profileData struct {
// Name is profile name.
Name string
+ // DaemonProfile is the profile name of our daemon.
+ DaemonProfile string
// Imports defines the apparmor functions to import, before defining the profile.
Imports []string
// InnerImports defines the apparmor functions to import in the profile.
@@ -70,6 +72,25 @@ func InstallDefault(name string) error {
Name: name,
}
+ // Figure out the daemon profile.
+ currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
+ if err != nil {
+ // If we couldn't get the daemon profile, assume we are running
+ // unconfined which is generally the default.
+ currentProfile = nil
+ }
+ daemonProfile := string(currentProfile)
+ // Normally profiles are suffixed by " (enforcing)" or similar. AppArmor
+ // profiles cannot contain spaces so this doesn't restrict daemon profile
+ // names.
+ if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 {
+ daemonProfile = parts[0]
+ }
+ if daemonProfile == "" {
+ daemonProfile = "unconfined"
+ }
+ p.DaemonProfile = daemonProfile
+
// Install to a temporary directory.
f, err := ioutil.TempFile("", name)
if err != nil {
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
index c00a3f70e993..400b3bd50a11 100644
--- a/components/engine/profiles/apparmor/template.go
+++ b/components/engine/profiles/apparmor/template.go
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
capability,
file,
umount,
+{{if ge .Version 208096}}
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
+ signal (receive) peer={{.DaemonProfile}},
+{{/* Allow container processes to send signals amongst themselves. */}}
+ signal (send,receive) peer={{.Name}},
+{{end}}
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
