Fix the proc integration test & include missing AA profile

Integration tests were failing due to proc filter behavior changes with new apparmor policies. Also include the missing docker-unconfined policy resolving potential startup errors. This policy is complain-only so it should behave identically to the standard unconfined policy, but will not apply system path-based policies within containers. Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-29 16:57:14 -04:00 · 2015-07-29 16:57:14 -04:00 · 5832715052
commit 5832715052
parent 0f85fadb4e
3 changed files with 29 additions and 4 deletions
--- a/daemon/execdriver/native/apparmor.go
+++ b/daemon/execdriver/native/apparmor.go
@ -40,6 +40,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
  file,
  umount,

+  signal (receive) peer=/usr/bin/docker,
+  signal (receive) peer=docker-unconfined,
+
  deny @{PROC}/sys/fs/** wklx,
  deny @{PROC}/fs/** wklx,
  deny @{PROC}/sysrq-trigger rwklx,
@ -60,6 +63,21 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
  deny /sys/firmware/efi/efivars/** rwklx,
  deny /sys/kernel/security/** rwklx,
 }
+
+profile docker-unconfined flags=(attach_disconnected,mediate_deleted,complain) {
+  #include <abstractions/base>
+
+  network,
+  capability,
+  file,
+  umount,
+  mount,
+  pivot_root,
+  change_profile -> *,
+
+  ptrace,
+  signal,
+}
 `

 func generateProfile(out io.Writer) error {
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@ -198,7 +198,7 @@ func (d *Driver) setPrivileged(container *configs.Config) (err error) {
 	container.Devices = hostDevices

 	if apparmor.IsEnabled() {
-		container.AppArmorProfile = "unconfined"
+		container.AppArmorProfile = "docker-unconfined"
 	}

 	return nil
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@ -2440,7 +2440,11 @@ func (s *DockerSuite) TestRunReadFilteredProc(c *check.C) {
 		name := fmt.Sprintf("procsieve-%d", i)
 		shellCmd := fmt.Sprintf("exec 3<%s", filePath)

-		if out, exitCode, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd); err == nil || exitCode == 0 {
+		out, exitCode, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
+		if exitCode != 0 {
+			return
+		}
+		if err != nil {
 			c.Fatalf("Open FD for read should have failed with permission denied, got: %s, %v", out, err)
 		}
 	}
@ -2545,8 +2549,11 @@ func (s *DockerSuite) TestRunWriteFilteredProc(c *check.C) {
 		name := fmt.Sprintf("writeprocsieve-%d", i)

 		shellCmd := fmt.Sprintf("exec 3>%s", filePath)
-		runCmd := exec.Command(dockerBinary, "run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
-		if out, exitCode, err := runCommandWithOutput(runCmd); err == nil || exitCode == 0 {
+		out, code, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
+		if code != 0 {
+			return
+		}
+		if err != nil {
 			c.Fatalf("Open FD for write should have failed with permission denied, got: %s, %v", out, err)
 		}
 	}