GitList

Browse code

Adjust docker-default profile when docker daemon is confined

Adjust the docker-default profile for when the docker daemon is running in
AppArmor confinement. To enable 'docker kill' we need to allow the container
to receive kill signals from the daemon.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

Stefan Berger authored on 2015/10/12 23:41:18
Showing 1 changed files

daemon/execdriver/native/apparmor.go

History View file @ 5cd6b3e

@@ -55,6 +55,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
                        deny /sys/fs/cg[^r]*/** wklx,
                        deny /sys/firmware/efi/efivars/** rwklx,
                        deny /sys/kernel/security/** rwklx,
+                    +
                     +  # docker daemon confinement requires explict allow rule for signal
                     +  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+                    +
                     +  # suppress ptrace denails when using 'docker ps'
                     +  ptrace (trace,read) peer=docker-default,
+                     }
+                     `