Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
docker.9328
bsc1073877-0001-apparmor-allow-receiving-of-sig...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch of Package docker.9328
From 3464bd58d266b0640774952e825558044ffc64e2 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asarai@suse.de> Date: Sun, 8 Apr 2018 20:21:30 +1000 Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill' In newer kernels, AppArmor will reject attempts to send signals to a container because the signal originated from outside of that AppArmor profile. Correct this by allowing all unconfined signals to be received. SUSE-Bugs: bsc#1073877 boo#1089732 Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com> Signed-off-by: Aleksa Sarai <asarai@suse.de> --- components/engine/profiles/apparmor/template.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go index c00a3f70e993..772c4a4873f6 100644 --- a/components/engine/profiles/apparmor/template.go +++ b/components/engine/profiles/apparmor/template.go @@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { capability, file, umount, +{{if ge .Version 208096}} +{{/* Allow 'docker kill' to actually send signals to container processes. */}} + signal (receive) peer=unconfined, +{{/* And allow signals to be sent inside the container. */}} + signal (send,receive) peer={{.Name}}, +{{end}} deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc/<number>/** or /proc/sys/** -- 2.18.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor