Browse code
More Rules for AppArmor
This patch addresses the following AppArmor complains:
type=AVC msg=audit(1445537397.873:547): apparmor="ALLOWED" operation="mount"
info="failed srcname match" error=-13 profile="/usr/bin/docker"
name="/.pivot_root602836504/" pid=11512 comm="exe" flags="rw, rprivate"
type=AVC msg=audit(1445537265.325:502): apparmor="ALLOWED"
operation="file_lock" profile="/usr/bin/docker"
name="/var/lib/docker/network/files/local-kv.db" pid=9574 comm="docker"
requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Stefan Berger authored on 2015/10/11 09:06:16Showing 1 changed files
| ... | ... |
@@ -14,6 +14,9 @@ profile /usr/bin/docker (attach_disconnected, complain) {
|
| 14 | 14 |
mount -> /proc/**, |
| 15 | 15 |
mount -> /sys/**, |
| 16 | 16 |
mount -> /run/docker/netns/**, |
| 17 |
+ mount -> /.pivot_root[0-9]*/, |
|
| 18 |
+ |
|
| 19 |
+ / r, |
|
| 17 | 20 |
|
| 18 | 21 |
umount, |
| 19 | 22 |
pivot_root, |
| ... | ... |
@@ -29,6 +32,7 @@ profile /usr/bin/docker (attach_disconnected, complain) {
|
| 29 | 29 |
@{DOCKER_GRAPH_PATH}/** rwl,
|
| 30 | 30 |
@{DOCKER_GRAPH_PATH}/linkgraph.db k,
|
| 31 | 31 |
@{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,
|
| 32 |
+ @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k,
|
|
| 32 | 33 |
|
| 33 | 34 |
# For non-root client use: |
| 34 | 35 |
/dev/urandom r, |