deleted file mode 100644

@@ -1,241 +0,0 @@

-@{DOCKER_GRAPH_PATH}=/var/lib/docker

-

-profile /usr/bin/docker (attach_disconnected, complain) {

-  # Prevent following links to these files during container setup.

-  deny /etc/** mkl,

-  deny /dev/** kl,

-  deny /sys/** mkl,

-  deny /proc/** mkl,

-

-  mount -> @{DOCKER_GRAPH_PATH}/**,

-  mount -> /,

-  mount -> /proc/**,

-  mount -> /sys/**,

-  mount -> /run/docker/netns/**,

-

-  umount,

-  pivot_root,

-  signal (receive) peer=@{profile_name},

-  signal (receive) peer=unconfined,

-  signal (send),

-  ipc rw,

-  network,

-  capability,

-  owner /** rw,

-  @{DOCKER_GRAPH_PATH}/** rwl,

-  @{DOCKER_GRAPH_PATH}/linkgraph.db k,

-  @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,

-

-  # For non-root client use:

-  /dev/urandom r,

-  /run/docker.sock rw,

-  /proc/** r,

-  /sys/kernel/mm/hugepages/ r,

-  /etc/localtime r,

-  /etc/ld.so.cache r,

-

-  ptrace peer=@{profile_name},

-  ptrace (read) peer=docker-default,

-  deny ptrace (trace) peer=docker-default,

-  deny ptrace peer=/usr/bin/docker///bin/ps,

-

-  /usr/lib/** rm,

-  /lib/** rm,

-

-  /usr/bin/docker pix,

-  /sbin/xtables-multi rCx,

-  /sbin/iptables rCx,

-  /sbin/modprobe rCx,

-  /sbin/auplink rCx,

-  /sbin/mke2fs rCx,

-  /sbin/tune2fs rCx,

-  /sbin/blkid rCx,

-  /bin/kmod rCx,

-  /usr/bin/xz rCx,

-  /bin/ps rCx,

-  /bin/cat rCx,

-  /sbin/zfs rCx,

-  /sbin/apparmor_parser rCx,

-

-  # Transitions

-  change_profile -> docker-*,

-  change_profile -> unconfined,

-

-  profile /bin/cat (complain) {

-    /etc/ld.so.cache r,

-    /lib/** rm,

-    /dev/null rw,

-    /proc r,

-    /bin/cat mr,

-

-    # For reading in 'docker stats':

-    /proc/[0-9]*/net/dev r,

-  }

-  profile /bin/ps (complain) {

-    /etc/ld.so.cache r,

-    /etc/localtime r,

-    /etc/passwd r,

-    /etc/nsswitch.conf r,

-    /lib/** rm,

-    /proc/[0-9]*/** r,

-    /dev/null rw,

-    /bin/ps mr,

-

-    # We don't need ptrace so we'll deny and ignore the error.

-    deny ptrace (read, trace),

-

-    # Quiet dac_override denials

-    deny capability dac_override,

-    deny capability dac_read_search,

-    deny capability sys_ptrace,

-

-    /dev/tty r,

-    /proc/stat r,

-    /proc/cpuinfo r,

-    /proc/meminfo r,

-    /proc/uptime r,

-    /sys/devices/system/cpu/online r,

-    /proc/sys/kernel/pid_max r,

-    /proc/ r,

-    /proc/tty/drivers r,

-  }

-  profile /sbin/iptables (complain) {

-    signal (receive) peer=/usr/bin/docker,

-    capability net_admin,

-  }

-  profile /sbin/auplink flags=(attach_disconnected, complain) {

-    signal (receive) peer=/usr/bin/docker,

-    capability sys_admin,

-    capability dac_override,

-

-    @{DOCKER_GRAPH_PATH}/aufs/** rw,

-    @{DOCKER_GRAPH_PATH}/tmp/** rw,

-    # For user namespaces:

-    @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,

-

-    /sys/fs/aufs/** r,

-    /lib/** rm,

-    /apparmor/.null r,

-    /dev/null rw,

-    /etc/ld.so.cache r,

-    /sbin/auplink rm,

-    /proc/fs/aufs/** rw,

-    /proc/[0-9]*/mounts rw,

-  }

-  profile /sbin/modprobe /bin/kmod (complain) {

-    signal (receive) peer=/usr/bin/docker,

-    capability sys_module,

-    /etc/ld.so.cache r,

-    /lib/** rm,

-    /dev/null rw,

-    /apparmor/.null rw,

-    /sbin/modprobe rm,

-    /bin/kmod rm,

-    /proc/cmdline r,

-    /sys/module/** r,

-    /etc/modprobe.d{/,/**} r,

-  }

-  # xz works via pipes, so we do not need access to the filesystem.

-  profile /usr/bin/xz (complain) {

-    signal (receive) peer=/usr/bin/docker,

-    /etc/ld.so.cache r,

-    /lib/** rm,

-    /usr/bin/xz rm,

-    deny /proc/** rw,

-    deny /sys/** rw,

-  }

-  profile /sbin/xtables-multi (attach_disconnected, complain) {

-    /etc/ld.so.cache r,

-    /lib/** rm,

-    /sbin/xtables-multi rm,

-    /apparmor/.null w,

-    /dev/null rw,

-

-    /proc r,

-

-    capability net_raw,

-    capability net_admin,

-    network raw,

-  }

-  profile /sbin/zfs (attach_disconnected, complain) {

-    file,

-    capability,

-  }

-  profile /sbin/mke2fs (complain) {

-    /sbin/mke2fs rm,

-

-    /lib/** rm,

-

-    /apparmor/.null w,

-

-    /etc/ld.so.cache r,

-    /etc/mke2fs.conf r,

-    /etc/mtab r,

-

-    /dev/dm-* rw,

-    /dev/urandom r,

-    /dev/null rw,

-

-    /proc/swaps r,

-    /proc/[0-9]*/mounts r,

-  }

-  profile /sbin/tune2fs (complain) {

-    /sbin/tune2fs rm,

-

-    /lib/** rm,

-

-    /apparmor/.null w,

-

-    /etc/blkid.conf r,

-    /etc/mtab r,

-    /etc/ld.so.cache r,

-

-    /dev/null rw,

-    /dev/.blkid.tab r,

-    /dev/dm-* rw,

-

-    /proc/swaps r,

-    /proc/[0-9]*/mounts r,

-  }

-  profile /sbin/blkid (complain) {

-    /sbin/blkid rm,

-

-    /lib/** rm,

-    /apparmor/.null w,

-

-    /etc/ld.so.cache r,

-    /etc/blkid.conf r,

-

-    /dev/null rw,

-    /dev/.blkid.tab rl,

-    /dev/.blkid.tab* rwl,

-    /dev/dm-* r,

-

-    /sys/devices/virtual/block/** r,

-

-    capability mknod,

-

-    mount -> @{DOCKER_GRAPH_PATH}/**,

-  }

-  profile /sbin/apparmor_parser (complain) {

-    /sbin/apparmor_parser rm,

-

-    /lib/** rm,

-

-    /etc/ld.so.cache r,

-    /etc/apparmor/** r,

-    /etc/apparmor.d/** r,

-    /etc/apparmor.d/cache/** w,

-

-    /dev/null rw,

-

-    /sys/kernel/security/apparmor/** r,

-    /sys/kernel/security/apparmor/.replace w,

-

-    /proc/[0-9]*/mounts r,

-    /proc/sys/kernel/osrelease r,

-    /proc r,

-

-    capability mac_admin,

-  }

-}

new file mode 100644

@@ -0,0 +1,85 @@

+package main

+

+import (

+	"fmt"

+	"log"

+	"os"

+	"os/exec"

+	"path"

+	"strconv"

+	"strings"

+	"text/template"

+)

+

+type profileData struct {

+	MajorVersion int

+	MinorVersion int

+}

+

+func main() {

+	if len(os.Args) < 2 {

+		log.Fatal("pass a filename to save the profile in.")

+	}

+

+	// parse the arg

+	apparmorProfilePath := os.Args[1]

+

+	// get the apparmor_version version

+	cmd := exec.Command("/sbin/apparmor_parser", "--version")

+

+	output, err := cmd.CombinedOutput()

+	if err != nil {

+		log.Fatalf("getting apparmor_parser version failed: %s (%s)", err, output)

+	}

+

+	// parse the version from the output

+	// output is in the form of the following:

+	// AppArmor parser version 2.9.1

+	// Copyright (C) 1999-2008 Novell Inc.

+	// Copyright 2009-2012 Canonical Ltd.

+	lines := strings.SplitN(string(output), "\n", 2)

+	words := strings.Split(lines[0], " ")

+	version := words[len(words)-1]

+	// split by major minor version

+	v := strings.Split(version, ".")

+	if len(v) < 2 {

+		log.Fatalf("parsing major minor version failed for %q", version)

+	}

+

+	majorVersion, err := strconv.Atoi(v[0])

+	if err != nil {

+		log.Fatal(err)

+	}

+	minorVersion, err := strconv.Atoi(v[1])

+	if err != nil {

+		log.Fatal(err)

+	}

+	data := profileData{

+		MajorVersion: majorVersion,

+		MinorVersion: minorVersion,

+	}

+	fmt.Printf("apparmor_parser is of version %+v\n", data)

+

+	// parse the template

+	compiled, err := template.New("apparmor_profile").Parse(dockerProfileTemplate)

+	if err != nil {

+		log.Fatalf("parsing template failed: %v", err)

+	}

+

+	// make sure /etc/apparmor.d exists

+	if err := os.MkdirAll(path.Dir(apparmorProfilePath), 0755); err != nil {

+		log.Fatal(err)

+	}

+

+	f, err := os.OpenFile(apparmorProfilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)

+	if err != nil {

+		log.Fatal(err)

+	}

+	defer f.Close()

+

+	if err := compiled.Execute(f, data); err != nil {

+		log.Fatalf("executing template failed: %v", err)

+	}

+

+	fmt.Printf("created apparmor profile for version %+v at %q\n", data, apparmorProfilePath)

+}

new file mode 100644

@@ -0,0 +1,259 @@

+package main

+

+const dockerProfileTemplate = `@{DOCKER_GRAPH_PATH}=/var/lib/docker

+

+profile /usr/bin/docker (attach_disconnected, complain) {

+  # Prevent following links to these files during container setup.

+  deny /etc/** mkl,

+  deny /dev/** kl,

+  deny /sys/** mkl,

+  deny /proc/** mkl,

+

+  mount -> @{DOCKER_GRAPH_PATH}/**,

+  mount -> /,

+  mount -> /proc/**,

+  mount -> /sys/**,

+  mount -> /run/docker/netns/**,

+

+  umount,

+  pivot_root,

+{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}

+  signal (receive) peer=@{profile_name},

+  signal (receive) peer=unconfined,

+  signal (send),

+{{end}}{{end}}

+  ipc rw,

+  network,

+  capability,

+  owner /** rw,

+  @{DOCKER_GRAPH_PATH}/** rwl,

+  @{DOCKER_GRAPH_PATH}/linkgraph.db k,

+  @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,

+

+  # For non-root client use:

+  /dev/urandom r,

+  /run/docker.sock rw,

+  /proc/** r,

+  /sys/kernel/mm/hugepages/ r,

+  /etc/localtime r,

+  /etc/ld.so.cache r,

+

+{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}

+  ptrace peer=@{profile_name},

+  ptrace (read) peer=docker-default,

+  deny ptrace (trace) peer=docker-default,

+  deny ptrace peer=/usr/bin/docker///bin/ps,

+{{end}}{{end}}

+

+  /usr/lib/** rm,

+  /lib/** rm,

+

+  /usr/bin/docker pix,

+  /sbin/xtables-multi rCx,

+  /sbin/iptables rCx,

+  /sbin/modprobe rCx,

+  /sbin/auplink rCx,

+  /sbin/mke2fs rCx,

+  /sbin/tune2fs rCx,

+  /sbin/blkid rCx,

+  /bin/kmod rCx,

+  /usr/bin/xz rCx,

+  /bin/ps rCx,

+  /bin/cat rCx,

+  /sbin/zfs rCx,

+  /sbin/apparmor_parser rCx,

+

+{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}

+  # Transitions

+  change_profile -> docker-*,

+  change_profile -> unconfined,

+{{end}}{{end}}

+

+  profile /bin/cat (complain) {

+    /etc/ld.so.cache r,

+    /lib/** rm,

+    /dev/null rw,

+    /proc r,

+    /bin/cat mr,

+

+    # For reading in 'docker stats':

+    /proc/[0-9]*/net/dev r,

+  }

+  profile /bin/ps (complain) {

+    /etc/ld.so.cache r,

+    /etc/localtime r,

+    /etc/passwd r,

+    /etc/nsswitch.conf r,

+    /lib/** rm,

+    /proc/[0-9]*/** r,

+    /dev/null rw,

+    /bin/ps mr,

+

+{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}

+    # We don't need ptrace so we'll deny and ignore the error.

+    deny ptrace (read, trace),

+{{end}}{{end}}

+

+    # Quiet dac_override denials

+    deny capability dac_override,

+    deny capability dac_read_search,

+    deny capability sys_ptrace,

+

+    /dev/tty r,

+    /proc/stat r,

+    /proc/cpuinfo r,

+    /proc/meminfo r,

+    /proc/uptime r,

+    /sys/devices/system/cpu/online r,

+    /proc/sys/kernel/pid_max r,

+    /proc/ r,

+    /proc/tty/drivers r,

+  }

+  profile /sbin/iptables (complain) {

+{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}

+    signal (receive) peer=/usr/bin/docker,

+{{end}}{{end}}

+    capability net_admin,

+  }

+  profile /sbin/auplink flags=(attach_disconnected, complain) {

+{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}

+    signal (receive) peer=/usr/bin/docker,

+{{end}}{{end}}

+    capability sys_admin,

+    capability dac_override,

+

+    @{DOCKER_GRAPH_PATH}/aufs/** rw,

+    @{DOCKER_GRAPH_PATH}/tmp/** rw,

+    # For user namespaces:

+    @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,

+

+    /sys/fs/aufs/** r,

+    /lib/** rm,

+    /apparmor/.null r,

+    /dev/null rw,

+    /etc/ld.so.cache r,

+    /sbin/auplink rm,

+    /proc/fs/aufs/** rw,

+    /proc/[0-9]*/mounts rw,

+  }

+  profile /sbin/modprobe /bin/kmod (complain) {

+{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}

+    signal (receive) peer=/usr/bin/docker,

+{{end}}{{end}}

+    capability sys_module,

+    /etc/ld.so.cache r,

+    /lib/** rm,

+    /dev/null rw,

+    /apparmor/.null rw,

+    /sbin/modprobe rm,

+    /bin/kmod rm,

+    /proc/cmdline r,

+    /sys/module/** r,

+    /etc/modprobe.d{/,/**} r,

+  }

+  # xz works via pipes, so we do not need access to the filesystem.

+  profile /usr/bin/xz (complain) {

+{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}

+    signal (receive) peer=/usr/bin/docker,

+{{end}}{{end}}

+    /etc/ld.so.cache r,

+    /lib/** rm,

+    /usr/bin/xz rm,

+    deny /proc/** rw,

+    deny /sys/** rw,

+  }

+  profile /sbin/xtables-multi (attach_disconnected, complain) {

+    /etc/ld.so.cache r,

+    /lib/** rm,

+    /sbin/xtables-multi rm,

+    /apparmor/.null w,

+    /dev/null rw,

+

+    /proc r,

+

+    capability net_raw,

+    capability net_admin,

+    network raw,

+  }

+  profile /sbin/zfs (attach_disconnected, complain) {

+    file,

+    capability,

+  }

+  profile /sbin/mke2fs (complain) {

+    /sbin/mke2fs rm,

+

+    /lib/** rm,

+

+    /apparmor/.null w,

+

+    /etc/ld.so.cache r,

+    /etc/mke2fs.conf r,

+    /etc/mtab r,

+

+    /dev/dm-* rw,

+    /dev/urandom r,

+    /dev/null rw,

+

+    /proc/swaps r,

+    /proc/[0-9]*/mounts r,

+  }

+  profile /sbin/tune2fs (complain) {

+    /sbin/tune2fs rm,

+

+    /lib/** rm,

+

+    /apparmor/.null w,

+

+    /etc/blkid.conf r,

+    /etc/mtab r,

+    /etc/ld.so.cache r,

+

+    /dev/null rw,

+    /dev/.blkid.tab r,

+    /dev/dm-* rw,

+

+    /proc/swaps r,

+    /proc/[0-9]*/mounts r,

+  }

+  profile /sbin/blkid (complain) {

+    /sbin/blkid rm,

+

+    /lib/** rm,

+    /apparmor/.null w,

+

+    /etc/ld.so.cache r,

+    /etc/blkid.conf r,

+

+    /dev/null rw,

+    /dev/.blkid.tab rl,

+    /dev/.blkid.tab* rwl,

+    /dev/dm-* r,

+

+    /sys/devices/virtual/block/** r,

+

+    capability mknod,

+

+    mount -> @{DOCKER_GRAPH_PATH}/**,

+  }

+  profile /sbin/apparmor_parser (complain) {

+    /sbin/apparmor_parser rm,

+

+    /lib/** rm,

+

+    /etc/ld.so.cache r,

+    /etc/apparmor/** r,

+    /etc/apparmor.d/** r,

+    /etc/apparmor.d/cache/** w,

+

+    /dev/null rw,

+

+    /sys/kernel/security/apparmor/** r,

+    /sys/kernel/security/apparmor/.replace w,

+

+    /proc/[0-9]*/mounts r,

+    /proc/sys/kernel/osrelease r,

+    /proc r,

+

+    capability mac_admin,

+  }

+}`

@@ -4,7 +4,7 @@

 FROM debian:jessie

-RUN apt-get update && apt-get install -y bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-journal-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

+RUN apt-get update && apt-get install -y apparmor bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-apparmor dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-journal-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

 ENV GO_VERSION 1.4.3

 RUN curl -fSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" | tar xzC /usr/local

@@ -4,7 +4,7 @@

 FROM debian:stretch

-RUN apt-get update && apt-get install -y bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

+RUN apt-get update && apt-get install -y apparmor bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-apparmor dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

 ENV GO_VERSION 1.4.3

 RUN curl -fSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" | tar xzC /usr/local

@@ -4,7 +4,7 @@

 FROM debian:wheezy-backports

-RUN apt-get update && apt-get install -y bash-completion btrfs-tools/wheezy-backports build-essential curl ca-certificates debhelper dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-journal-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

+RUN apt-get update && apt-get install -y apparmor bash-completion btrfs-tools/wheezy-backports build-essential curl ca-certificates debhelper dh-apparmor dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-journal-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

 ENV GO_VERSION 1.4.3

 RUN curl -fSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" | tar xzC /usr/local

@@ -45,11 +45,13 @@ for version in "${versions[@]}"; do

 	# this list is sorted alphabetically; please keep it that way

 	packages=(

+		apparmor # for apparmor_parser for testing the profile

 		bash-completion # for bash-completion debhelper integration

 		btrfs-tools # for "btrfs/ioctl.h" (and "version.h" if possible)

 		build-essential # "essential for building Debian packages"

 		curl ca-certificates # for downloading Go

 		debhelper # for easy ".deb" building

+		dh-apparmor # for apparmor debhelper

 		dh-systemd # for systemd debhelper integration

 		git # for "git commit" info in "docker -v"

 		libapparmor-dev # for "sys/apparmor.h"

@@ -4,7 +4,7 @@

 FROM ubuntu:precise

-RUN apt-get update && apt-get install -y bash-completion  build-essential curl ca-certificates debhelper  git libapparmor-dev  libsqlite3-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

+RUN apt-get update && apt-get install -y apparmor bash-completion  build-essential curl ca-certificates debhelper dh-apparmor  git libapparmor-dev  libsqlite3-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

 ENV GO_VERSION 1.4.3

 RUN curl -fSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" | tar xzC /usr/local

@@ -4,7 +4,7 @@

 FROM ubuntu:trusty

-RUN apt-get update && apt-get install -y bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-journal-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

+RUN apt-get update && apt-get install -y apparmor bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-apparmor dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-journal-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

 ENV GO_VERSION 1.4.3

 RUN curl -fSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" | tar xzC /usr/local

@@ -4,7 +4,7 @@

 FROM ubuntu:vivid

-RUN apt-get update && apt-get install -y bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-journal-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

+RUN apt-get update && apt-get install -y apparmor bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-apparmor dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-journal-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

 ENV GO_VERSION 1.4.3

 RUN curl -fSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" | tar xzC /usr/local

@@ -4,7 +4,7 @@

 FROM ubuntu:wily

-RUN apt-get update && apt-get install -y bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

+RUN apt-get update && apt-get install -y apparmor bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-apparmor dh-systemd git libapparmor-dev libdevmapper-dev libsqlite3-dev libsystemd-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*

 ENV GO_VERSION 1.4.3

 RUN curl -fSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" | tar xzC /usr/local

@@ -10,3 +10,4 @@ contrib/init/systemd/docker.socket lib/systemd/system/

 contrib/mk* usr/share/docker-engine/contrib/

 contrib/nuke-graph-directory.sh usr/share/docker-engine/contrib/

 contrib/syntax/nano/Dockerfile.nanorc usr/share/nano/

+contrib/apparmor/docker-engine etc/apparmor.d/

@@ -32,5 +32,9 @@ override_dh_installudev:

 	# match our existing priority

 	dh_installudev --priority=z80

+override_dh_install:

+	dh_install

+	dh_apparmor --profile-name=docker-engine -pdocker-engine

+

 %:

 	dh $@ --with=bash-completion $(shell command -v dh_systemd_enable > /dev/null 2>&1 && echo --with=systemd)

@@ -57,6 +57,8 @@ set -e

 			echo 'ENV DOCKER_EXPERIMENTAL 1' >> "$DEST/$version/Dockerfile.build"

 		fi

 		cat >> "$DEST/$version/Dockerfile.build" <<-EOF

+			RUN go build -o aagen contrib/apparmor/*.go \

+				&& ./aagen contrib/apparmor/docker-engine

 			RUN ln -sfv hack/make/.build-deb debian

 			RUN { echo '$debSource (${debVersion}-0~${suite}) $suite; urgency=low'; echo; echo '  * Version: $VERSION'; echo; echo " -- $debMaintainer  $debDate"; } > debian/changelog && cat >&2 debian/changelog

 			RUN dpkg-buildpackage -uc -us

new file mode 100755

@@ -0,0 +1,57 @@

+#!/bin/bash

+# This script is used for testing install.sh and that it works for

+# each of component of our apt and yum repos

+set -e

+

+: ${DEB_DIR:="$(pwd)/bundles/$(cat VERSION)/build-deb"}

+

+if [[ ! -d "${DEB_DIR}" ]]; then

+	echo "you must first run `make deb` or hack/make/build-deb"

+	exit 1

+fi

+

+test_deb_install(){

+	# test for each Dockerfile in contrib/builder

+	for dir in contrib/builder/deb/*/; do

+		local from="$(awk 'toupper($1) == "FROM" { print $2; exit }' "$dir/Dockerfile")"

+		local dir=$(basename "$dir")

+

+		if [[ ! -d "${DEB_DIR}/${dir}" ]]; then

+			echo "No deb found for ${dir}"

+			exit 1

+		fi

+

+		local script=$(mktemp /tmp/install-XXXXXXXXXX.sh)

+		cat <<-EOF > "${script}"

+		#!/bin/bash

+		set -e

+		set -x

+

+		apt-get update && apt-get install -y apparmor

+

+		dpkg -i /root/debs/*.deb || true

+

+		apt-get install -yf

+

+		/etc/init.d/apparmor start

+

+		# this will do everything _except_ load the profile into the kernel

+		(

+		cd /etc/apparmor.d

+		/sbin/apparmor_parser --skip-kernel-load docker-engine

+		)

+		EOF

+

+		chmod +x "${script}"

+

+		echo "testing deb install for ${from}"

+		docker run --rm -i --privileged \

+			-v ${DEB_DIR}/${dir}:/root/debs \

+			-v ${script}:/install.sh \

+			${from} /install.sh

+

+		rm -f ${script}

+	done

+}

+

+test_deb_install

@@ -23,6 +23,8 @@ test_install_script(){

 			echo "running install.sh for ${component} with ${from}"

 			docker run --rm -i -v ${script}:/install.sh ${from} /install.sh

 		done

+

+		rm -f ${script}

 	done

 }