From 4f828d67f00449182eaada50dfba37e00f8f01ef Mon Sep 17 00:00:00 2001
From: "Guillaume J. Charmes" <guillaume@charmes.net>
Date: Tue, 8 Apr 2014 10:10:51 -0700
Subject: [PATCH] Backup current docker apparmor profile and replace it with
 the new one

Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
---
 pkg/libcontainer/apparmor/setup.go  | 36 +++++++++++++++++++++++++----
 runtime/execdriver/native/driver.go |  8 ++++---
 2 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/pkg/libcontainer/apparmor/setup.go b/pkg/libcontainer/apparmor/setup.go
index 4c664598ad..548e72f550 100644
--- a/pkg/libcontainer/apparmor/setup.go
+++ b/pkg/libcontainer/apparmor/setup.go
@@ -2,13 +2,17 @@ package apparmor
 
 import (
 	"fmt"
+	"io"
 	"io/ioutil"
 	"os"
 	"os/exec"
 	"path"
 )
 
-const DefaultProfilePath = "/etc/apparmor.d/docker"
+const (
+	DefaultProfilePath = "/etc/apparmor.d/docker"
+)
+
 const DefaultProfile = `
 # AppArmor profile from lxc for containers.
 
@@ -73,14 +77,38 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) {
 }
 `
 
-func InstallDefaultProfile() error {
+func InstallDefaultProfile(backupPath string) error {
 	if !IsEnabled() {
 		return nil
 	}
 
-	// If the profile already exists, let it be.
+	// If the profile already exists, check if we already have a backup
+	// if not, do the backup and override it. (docker 0.10 upgrade changed the apparmor profile)
+	// see gh#5049, apparmor blocks signals in ubuntu 14.04
 	if _, err := os.Stat(DefaultProfilePath); err == nil {
-		return nil
+		if _, err := os.Stat(backupPath); err == nil {
+			// If both the profile and the backup are present, do nothing
+			return nil
+		}
+		// Make sure the directory exists
+		if err := os.MkdirAll(path.Dir(backupPath), 0755); err != nil {
+			return err
+		}
+
+		// Create the backup file
+		f, err := os.Create(backupPath)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+		src, err := os.Open(DefaultProfilePath)
+		if err != nil {
+			return err
+		}
+		defer src.Close()
+		if _, err := io.Copy(f, src); err != nil {
+			return err
+		}
 	}
 
 	// Make sure /etc/apparmor.d exists
diff --git a/runtime/execdriver/native/driver.go b/runtime/execdriver/native/driver.go
index c5a3837615..d18865e508 100644
--- a/runtime/execdriver/native/driver.go
+++ b/runtime/execdriver/native/driver.go
@@ -21,8 +21,9 @@ import (
 )
 
 const (
-	DriverName = "native"
-	Version    = "0.1"
+	DriverName                = "native"
+	Version                   = "0.1"
+	BackupApparmorProfilePath = "apparmor/docker.back" // relative to docker root
 )
 
 func init() {
@@ -66,7 +67,8 @@ func NewDriver(root, initPath string) (*driver, error) {
 	if err := os.MkdirAll(root, 0700); err != nil {
 		return nil, err
 	}
-	if err := apparmor.InstallDefaultProfile(); err != nil {
+	// native driver root is at docker_root/execdriver/native. Put apparmor at docker_root
+	if err := apparmor.InstallDefaultProfile(filepath.Join(root, "../..", BackupApparmorProfilePath)); err != nil {
 		return nil, err
 	}
 	return &driver{