From e35c23311fce853fab318527789f11cc8c150ea2 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Mon, 7 Apr 2014 02:02:11 -0400 Subject: [PATCH 1/3] apparmor: docker-default: Include base abstraction Encountered problems on 14.04 relating to signals between container processes being blocked by apparmor. The base abstraction contains appropriate rules to allow this communication. Docker-DCO-1.1-Signed-off-by: Michael Brown (github: Supermathie) --- pkg/libcontainer/apparmor/setup.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/libcontainer/apparmor/setup.go b/pkg/libcontainer/apparmor/setup.go index 4e1c95143a..cc786de9aa 100644 --- a/pkg/libcontainer/apparmor/setup.go +++ b/pkg/libcontainer/apparmor/setup.go @@ -18,6 +18,7 @@ const DefaultProfile = ` @{PROC}=/proc/ profile docker-default flags=(attach_disconnected,mediate_deleted) { + #include network, capability, file, From 320b3e0d211d389addda02998a0f47839827b2af Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Mon, 7 Apr 2014 02:47:43 -0400 Subject: [PATCH 2/3] apparmor: abstractions/base expects pid variable Add 'pid' variable pointing to 'self' to allow parsing of profile to succeed Docker-DCO-1.1-Signed-off-by: Michael Brown (github: Supermathie) --- pkg/libcontainer/apparmor/setup.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/libcontainer/apparmor/setup.go b/pkg/libcontainer/apparmor/setup.go index cc786de9aa..d9deec470e 100644 --- a/pkg/libcontainer/apparmor/setup.go +++ b/pkg/libcontainer/apparmor/setup.go @@ -16,6 +16,7 @@ const DefaultProfile = ` #@{HOMEDIRS}+= @{multiarch}=*-linux-gnu* @{PROC}=/proc/ +@{pid}=self profile docker-default flags=(attach_disconnected,mediate_deleted) { #include From 726206f2aa45b8a537ae6d6c819f21befc2e0aca Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Mon, 7 Apr 2014 03:04:27 -0400 Subject: [PATCH 3/3] apparmor: pull in variables from tunables/global The variables that were defined at the top of the apparmor profile are best pulled in via the include. Docker-DCO-1.1-Signed-off-by: Michael Brown (github: Supermathie) --- pkg/libcontainer/apparmor/setup.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/pkg/libcontainer/apparmor/setup.go b/pkg/libcontainer/apparmor/setup.go index d9deec470e..4c664598ad 100644 --- a/pkg/libcontainer/apparmor/setup.go +++ b/pkg/libcontainer/apparmor/setup.go @@ -11,13 +11,8 @@ import ( const DefaultProfilePath = "/etc/apparmor.d/docker" const DefaultProfile = ` # AppArmor profile from lxc for containers. -@{HOME}=@{HOMEDIRS}/*/ /root/ -@{HOMEDIRS}=/home/ -#@{HOMEDIRS}+= -@{multiarch}=*-linux-gnu* -@{PROC}=/proc/ -@{pid}=self +#include profile docker-default flags=(attach_disconnected,mediate_deleted) { #include network,