diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go index ecbaf33510..254f0a2c40 100644 --- a/daemon/execdriver/native/apparmor.go +++ b/daemon/execdriver/native/apparmor.go @@ -40,6 +40,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { file, umount, + signal (receive) peer=/usr/bin/docker, + signal (receive) peer=docker-unconfined, + deny @{PROC}/sys/fs/** wklx, deny @{PROC}/fs/** wklx, deny @{PROC}/sysrq-trigger rwklx, @@ -60,6 +63,21 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, } + +profile docker-unconfined flags=(attach_disconnected,mediate_deleted,complain) { + #include + + network, + capability, + file, + umount, + mount, + pivot_root, + change_profile -> *, + + ptrace, + signal, +} ` func generateProfile(out io.Writer) error { diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go index c7fc33d1d5..dc3eacf9af 100644 --- a/daemon/execdriver/native/create.go +++ b/daemon/execdriver/native/create.go @@ -198,7 +198,7 @@ func (d *Driver) setPrivileged(container *configs.Config) (err error) { container.Devices = hostDevices if apparmor.IsEnabled() { - container.AppArmorProfile = "unconfined" + container.AppArmorProfile = "docker-unconfined" } return nil diff --git a/hack/make/.build-deb/rules b/hack/make/.build-deb/rules index ae2defcc0b..be45676c1d 100755 --- a/hack/make/.build-deb/rules +++ b/hack/make/.build-deb/rules @@ -34,7 +34,6 @@ override_dh_installudev: override_dh_install: dh_install - dh_apparmor --profile-name=docker -pdocker-engine dh_apparmor --profile-name=docker-engine -pdocker-engine %: diff --git a/hack/make/ubuntu b/hack/make/ubuntu index 76c3f29053..24246da76a 100644 --- a/hack/make/ubuntu +++ b/hack/make/ubuntu @@ -74,8 +74,7 @@ bundle_ubuntu() { # Include contributed apparmor policy mkdir -p "$DIR/etc/apparmor.d/" - cp contrib/apparmor/docker "$DIR/etc/apparmor.d/" - cp contrib/apparmor/docker-engine "$DIR/etc/apparmor.d/" + cp contrib/apparmor/* "$DIR/etc/apparmor.d/" # Copy the binary # This will fail if the binary bundle hasn't been built @@ -95,7 +94,6 @@ if [ "$1" = 'configure' ] && [ -z "$2" ]; then fi if ( aa-status --enabled ); then - /sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker /sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker-engine fi diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 1a51ff331b..761217bc1b 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -2440,7 +2440,11 @@ func (s *DockerSuite) TestRunReadFilteredProc(c *check.C) { name := fmt.Sprintf("procsieve-%d", i) shellCmd := fmt.Sprintf("exec 3<%s", filePath) - if out, exitCode, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd); err == nil || exitCode == 0 { + out, exitCode, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd) + if exitCode != 0 { + return + } + if err != nil { c.Fatalf("Open FD for read should have failed with permission denied, got: %s, %v", out, err) } } @@ -2545,8 +2549,11 @@ func (s *DockerSuite) TestRunWriteFilteredProc(c *check.C) { name := fmt.Sprintf("writeprocsieve-%d", i) shellCmd := fmt.Sprintf("exec 3>%s", filePath) - runCmd := exec.Command(dockerBinary, "run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd) - if out, exitCode, err := runCommandWithOutput(runCmd); err == nil || exitCode == 0 { + out, code, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd) + if code != 0 { + return + } + if err != nil { c.Fatalf("Open FD for write should have failed with permission denied, got: %s, %v", out, err) } }