File 0004-bsc1073877-apparmor-clobber-docker-default... of Package docker.35144

Overview Repositories Revisions Requests Users Attributes Meta

File 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch of Package docker.35144

From 208a9ba144d7ab21b9717d669a577e2dbbf7ab2e Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 4/7] bsc1073877: apparmor: clobber docker-default profile on
 start

In the process of making docker-default reloading far less expensive,
567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor
profiles") mistakenly made the initial profile load at dockerd start-up
lazy. As a result, if you have a running Docker daemon and upgrade it to
a new one with an updated AppArmor profile the new profile will not take
effect (because the old one is still loaded). The fix for this is quite
trivial, and just requires us to clobber the profile on start-up.

Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles")
SUSE-Bugs: bsc#1099277
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
 daemon/apparmor_default.go             | 14 ++++++++++----
 daemon/apparmor_default_unsupported.go |  4 ++++
 daemon/daemon.go                       |  5 +++--
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index 81e10b6cbec0..e695667a190f 100644
--- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
 	return ""
 }
 
+func clobberDefaultAppArmorProfile() error {
+	if apparmor.HostSupports() {
+		if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil {
+			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err)
+		}
+	}
+	return nil
+}
+
 func ensureDefaultAppArmorProfile() error {
 	if apparmor.HostSupports() {
 		loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
@@ -36,10 +45,7 @@ func ensureDefaultAppArmorProfile() error {
 		}
 
 		// Load the profile.
-		if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil {
-			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err)
-		}
+		return clobberDefaultAppArmorProfile()
 	}
-
 	return nil
 }
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
index be4938f5b61a..2b326fea5829 100644
--- a/daemon/apparmor_default_unsupported.go
+++ b/daemon/apparmor_default_unsupported.go
@@ -2,6 +2,10 @@
 
 package daemon // import "github.com/docker/docker/daemon"
 
+func clobberDefaultAppArmorProfile() error {
+	return nil
+}
+
 func ensureDefaultAppArmorProfile() error {
 	return nil
 }
diff --git a/daemon/daemon.go b/daemon/daemon.go
index c28e3063d576..c3228a084cb1 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -900,8 +900,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 		log.G(ctx).Warnf("Failed to configure golang's threads limit: %v", err)
 	}
 
-	// ensureDefaultAppArmorProfile does nothing if apparmor is disabled
-	if err := ensureDefaultAppArmorProfile(); err != nil {
+	// Make sure we clobber any pre-existing docker-default profile to ensure
+	// that upgrades to the profile actually work smoothly.
+	if err := clobberDefaultAppArmorProfile(); err != nil {
 		log.G(ctx).Errorf(err.Error())
 	}
 
-- 
2.45.2

Places

File 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch of Package docker.35144

Places