apparmor: permit signals from unconfined programs

Otherwise if you try to kill a container process from the host directly, you get EACCES. Also add a comment to make sure that the profile code (which has been replicated by several projects) doesn't get out of sync. Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-08-11 18:18:58 +10:00 · 2020-08-11 18:18:58 +10:00 · 725eced4e0
parent c997a4995d
commit 725eced4e0
1 changed files with 10 additions and 2 deletions
--- a/profiles/apparmor/template.go
+++ b/profiles/apparmor/template.go
@ -2,6 +2,12 @@

 package apparmor // import "github.com/docker/docker/profiles/apparmor"

+// NOTE: This profile is replicated in containerd and libpod. If you make a
+//       change to this profile, please make follow-up PRs to those projects so
+//       that these rules can be synchronised (because any issue with this
+//       profile will likely affect libpod and containerd).
+// TODO: Move this to a common project so we can maintain it in one spot.
+
 // baseTemplate defines the default apparmor profile for containers.
 const baseTemplate = `
 {{range $value := .Imports}}
@ -18,9 +24,11 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
  file,
  umount,
 {{if ge .Version 208096}}
-{{/* Allow 'docker kill' to actually send signals to container processes. */}}
+  # Host (privileged) processes may send signals to container processes.
+  signal (receive) peer=unconfined,
+  # dockerd may send signals to container processes (for "docker kill").
  signal (receive) peer={{.DaemonProfile}},
-{{/* Allow container processes to send signals amongst themselves. */}}
+  # Container processes may send signals amongst themselves.
  signal (send,receive) peer={{.Name}},
 {{end}}