10 years ago · 9eff33735a
--- a/daemon/execdriver/native/apparmor.go
+++ b/daemon/execdriver/native/apparmor.go
@@ -40,6 +40,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
 
				   file,
			
 
				   umount,
			
 
				 
			
 
				+  signal (receive) peer=/usr/bin/docker,
			
 
				+  signal (receive) peer=docker-unconfined,
			
 
				+
			
 
				   deny @{PROC}/sys/fs/** wklx,
			
 
				   deny @{PROC}/fs/** wklx,
			
 
				   deny @{PROC}/sysrq-trigger rwklx,
			
@@ -60,6 +63,21 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
 
				   deny /sys/firmware/efi/efivars/** rwklx,
			
 
				   deny /sys/kernel/security/** rwklx,
			
 
				 }
			
 
				+
			
 
				+profile docker-unconfined flags=(attach_disconnected,mediate_deleted,complain) {
			
 
				+  #include <abstractions/base>
			
 
				+
			
 
				+  network,
			
 
				+  capability,
			
 
				+  file,
			
 
				+  umount,
			
 
				+  mount,
			
 
				+  pivot_root,
			
 
				+  change_profile -> *,
			
 
				+
			
 
				+  ptrace,
			
 
				+  signal,
			
 
				+}
			
 
				 `
			
 
				 
			
 
				 func generateProfile(out io.Writer) error {
			
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@@ -198,7 +198,7 @@ func (d *driver) setPrivileged(container *configs.Config) (err error) {
 
				 	container.Devices = hostDevices
			
 
				 
			
 
				 	if apparmor.IsEnabled() {
			
 
				-		container.AppArmorProfile = "unconfined"
			
 
				+		container.AppArmorProfile = "docker-unconfined"
			
 
				 	}
			
 
				 
			
 
				 	return nil
			
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -2440,7 +2440,11 @@ func (s *DockerSuite) TestRunReadFilteredProc(c *check.C) {
 
				 		name := fmt.Sprintf("procsieve-%d", i)
			
 
				 		shellCmd := fmt.Sprintf("exec 3<%s", filePath)
			
 
				 
			
 
				-		if out, exitCode, err := dockerCmdWithError(c, "run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd); err == nil || exitCode == 0 {
			
 
				+		out, exitCode, err := dockerCmdWithError(c, "run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
			
 
				+		if exitCode != 0 {
			
 
				+			return
			
 
				+		}
			
 
				+		if err != nil {
			
 
				 			c.Fatalf("Open FD for read should have failed with permission denied, got: %s, %v", out, err)
			
 
				 		}
			
 
				 	}
			
@@ -2545,8 +2549,11 @@ func (s *DockerSuite) TestRunWriteFilteredProc(c *check.C) {
 
				 		name := fmt.Sprintf("writeprocsieve-%d", i)
			
 
				 
			
 
				 		shellCmd := fmt.Sprintf("exec 3>%s", filePath)
			
 
				-		runCmd := exec.Command(dockerBinary, "run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
			
 
				-		if out, exitCode, err := runCommandWithOutput(runCmd); err == nil || exitCode == 0 {
			
 
				+		out, code, err := dockerCmdWithError(c, "run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
			
 
				+		if code != 0 {
			
 
				+			return
			
 
				+		}
			
 
				+		if err != nil {
			
 
				 			c.Fatalf("Open FD for write should have failed with permission denied, got: %s, %v", out, err)
			
 
				 		}
			
 
				 	}