1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

apparmor: permit signals from unconfined programs

Otherwise if you try to kill a container process from the host directly,
you get EACCES. Also add a comment to make sure that the profile code
(which has been replicated by several projects) doesn't get out of sync.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
This commit is contained in:
Aleksa Sarai 2020-08-11 18:18:58 +10:00
parent c997a4995d
commit 725eced4e0
No known key found for this signature in database
GPG key ID: 9E18AA267DDB8DB4

View file

@ -2,6 +2,12 @@
package apparmor // import "github.com/docker/docker/profiles/apparmor"
// NOTE: This profile is replicated in containerd and libpod. If you make a
// change to this profile, please make follow-up PRs to those projects so
// that these rules can be synchronised (because any issue with this
// profile will likely affect libpod and containerd).
// TODO: Move this to a common project so we can maintain it in one spot.
// baseTemplate defines the default apparmor profile for containers.
const baseTemplate = `
{{range $value := .Imports}}
@ -18,9 +24,11 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
file,
umount,
{{if ge .Version 208096}}
{{/* Allow 'docker kill' to actually send signals to container processes. */}}
# Host (privileged) processes may send signals to container processes.
signal (receive) peer=unconfined,
# dockerd may send signals to container processes (for "docker kill").
signal (receive) peer={{.DaemonProfile}},
{{/* Allow container processes to send signals amongst themselves. */}}
# Container processes may send signals amongst themselves.
signal (send,receive) peer={{.Name}},
{{end}}