Merge pull request #41337 from cyphar/apparmor-update-profile

apparmor: permit signals from unconfined programs
2020-09-11 12:05:40 +01:00 · 2020-09-11 12:05:40 +01:00 · 7ca355652f
commit 7ca355652f
parent ea2f17e7f4 725eced4e0
1 changed files with 10 additions and 2 deletions
--- a/profiles/apparmor/template.go
+++ b/profiles/apparmor/template.go
@ -2,6 +2,12 @@

 package apparmor // import "github.com/docker/docker/profiles/apparmor"

+// NOTE: This profile is replicated in containerd and libpod. If you make a
+//       change to this profile, please make follow-up PRs to those projects so
+//       that these rules can be synchronised (because any issue with this
+//       profile will likely affect libpod and containerd).
+// TODO: Move this to a common project so we can maintain it in one spot.
+
 // baseTemplate defines the default apparmor profile for containers.
 const baseTemplate = `
 {{range $value := .Imports}}
@ -18,9 +24,11 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
  file,
  umount,
 {{if ge .Version 208096}}
-{{/* Allow 'docker kill' to actually send signals to container processes. */}}
+  # Host (privileged) processes may send signals to container processes.
+  signal (receive) peer=unconfined,
+  # dockerd may send signals to container processes (for "docker kill").
  signal (receive) peer={{.DaemonProfile}},
-{{/* Allow container processes to send signals amongst themselves. */}}
+  # Container processes may send signals amongst themselves.
  signal (send,receive) peer={{.Name}},
 {{end}}