File bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch of Package docker.10006

From 4962b0a0bc6ca1fc99b0936175f929f9d3f5fa4c Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 8 Apr 2018 20:21:30 +1000
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'

In newer kernels, AppArmor will reject attempts to send signals to a
container because the signal originated from outside of that AppArmor
profile. Correct this by allowing all unconfined signals to be received.

Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
 .../engine/profiles/apparmor/apparmor.go      | 21 +++++++++++++++++++
 .../engine/profiles/apparmor/template.go      |  6 ++++++
 2 files changed, 27 insertions(+)

diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go
index b021668c8e4c..2f58ee852cab 100644
--- a/components/engine/profiles/apparmor/apparmor.go
+++ b/components/engine/profiles/apparmor/apparmor.go
@@ -23,6 +23,8 @@ var (
 type profileData struct {
 	// Name is profile name.
 	Name string
+	// DaemonProfile is the profile name of our daemon.
+	DaemonProfile string
 	// Imports defines the apparmor functions to import, before defining the profile.
 	Imports []string
 	// InnerImports defines the apparmor functions to import in the profile.
@@ -70,6 +72,25 @@ func InstallDefault(name string) error {
 		Name: name,
 	}
 
+	// Figure out the daemon profile.
+	currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
+	if err != nil {
+		// If we couldn't get the daemon profile, assume we are running
+		// unconfined which is generally the default.
+		currentProfile = nil
+	}
+	daemonProfile := string(currentProfile)
+	// Normally profiles are suffixed by " (enforcing)" or similar. AppArmor
+	// profiles cannot contain spaces so this doesn't restrict daemon profile
+	// names.
+	if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 {
+		daemonProfile = parts[0]
+	}
+	if daemonProfile == "" {
+		daemonProfile = "unconfined"
+	}
+	p.DaemonProfile = daemonProfile
+
 	// Install to a temporary directory.
 	f, err := ioutil.TempFile("", name)
 	if err != nil {
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
index c00a3f70e993..400b3bd50a11 100644
--- a/components/engine/profiles/apparmor/template.go
+++ b/components/engine/profiles/apparmor/template.go
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   capability,
   file,
   umount,
+{{if ge .Version 208096}}
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
+  signal (receive) peer={{.DaemonProfile}},
+{{/* Allow container processes to send signals amongst themselves. */}}
+  signal (send,receive) peer={{.Name}},
+{{end}}
 
   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
   # deny write to files not in /proc/<number>/** or /proc/sys/**
-- 
2.19.1

openSUSE Build Service is sponsored by