kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Adjust docker-default profile when docker daemon is confined

Browse source 
Adjust the docker-default profile for when the docker daemon is running in
AppArmor confinement. To enable 'docker kill' we need to allow the container
to receive kill signals from the daemon.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
This commit is contained in:
Stefan Berger 2015-10-12 10:41:18 -04:00 committed by Jessica Frazelle
parent 6079d9d6a3
commit 5cd6b3eca2
No known key found for this signature in database
GPG key ID: 18F3685C0022BFF3
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
daemon/execdriver/native/apparmor.go
View file

@ -55,6 +55,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny /sys/fs/cg[^r]*/** wklx, deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/efi/efivars/** rwklx, deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx, deny /sys/kernel/security/** rwklx,
# docker daemon confinement requires explict allow rule for signal
signal (receive) set=(kill,term) peer=/usr/bin/docker,
# suppress ptrace denails when using 'docker ps'
ptrace (trace,read) peer=docker-default,
} }
` `