--- Begin Message ---
Package: docker.io
Version: 1.2.0~dfsg1-1
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu utopic ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* debian/patches/sync-apparmor-with-lxc.patch: update AppArmor policy to
by in sync with LXC. Specifically this:
- reorganizes the rules to allow for easier comparison with other
container policy
- adds comments for many rules
- adds bare dbus rule
- adds ptrace rule to allow ptracing ourselves
- adds deny mount options=(ro, remount, silent) -> /
- allows hugetlbfs
- adds cgmanager mount
- adds /sys/fs/pstore mount
- more specific /sys/kernel/security mount options
- more specific /sys mount options
- more specific /proc/sys/kernel/* deny rules
- more specific /proc/sys/net deny rules
- more specific /sys/class deny rules
- more specific /sys/devices deny rules
- more specific /sys/fs deny rules
Now, Ubuntu had dbus, signal, ptrace and unix mediation whereas Debian does
not yet (this is is part of the upcoming AppArmor 2.9 and the corresponding
kernel patches are being work on now). You'll likely want to apply this patch
either specifically on if being built on Ubuntu or conditionally on if you
are building against AppArmor 2.9.
Thanks for considering the patch.
-- System Information:
Debian Release: jessie/sid
APT prefers utopic-updates
APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 'utopic')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-18-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru docker.io-1.2.0~dfsg1/debian/changelog docker.io-1.2.0~dfsg1/debian/changelog
diff -Nru docker.io-1.2.0~dfsg1/debian/patches/series docker.io-1.2.0~dfsg1/debian/patches/series
--- docker.io-1.2.0~dfsg1/debian/patches/series 2014-09-12 17:31:57.000000000 -0500
+++ docker.io-1.2.0~dfsg1/debian/patches/series 2014-10-01 13:20:13.000000000 -0500
@@ -11,3 +11,4 @@
# Upstream deltas:
# -> Let there be light on non-amd64
enable-non-amd64-arches.patch
+sync-apparmor-with-lxc.patch
diff -Nru docker.io-1.2.0~dfsg1/debian/patches/sync-apparmor-with-lxc.patch docker.io-1.2.0~dfsg1/debian/patches/sync-apparmor-with-lxc.patch
--- docker.io-1.2.0~dfsg1/debian/patches/sync-apparmor-with-lxc.patch 1969-12-31 18:00:00.000000000 -0600
+++ docker.io-1.2.0~dfsg1/debian/patches/sync-apparmor-with-lxc.patch 2014-10-01 13:23:40.000000000 -0500
@@ -0,0 +1,173 @@
+Author: Jamie Strandboge <[email protected]>
+Description: sync AppArmor policy up with current LXC/libvirt-lxc policy
+
+Index: docker.io-1.2.0~dfsg1/libcontainer/apparmor/gen.go
+===================================================================
+--- docker.io-1.2.0~dfsg1.orig/libcontainer/apparmor/gen.go
++++ docker.io-1.2.0~dfsg1/libcontainer/apparmor/gen.go
+@@ -22,40 +22,147 @@ profile {{.Name}} flags=(attach_disconne
+ {{$value}}
+ {{end}}
+
+- network,
+- capability,
++ # Globally allows everything to run under this profile. This is fine-tuned
++ # later
++ # in this profile and can be narrowed depending on the container's use.
+ file,
++ capability,
++ network,
++
++ # the container may never be allowed to mount devpts. If it does, it
++ # will remount the host's devpts. We could allow it to do it with
++ # the newinstance option (but, right now, we don't).
++ deny mount fstype=devpts,
++
+ umount,
+
++ # This also needs additional rules to reach outside of the container via
++ # DBus, so just let all of DBus within the container.
++ dbus,
++
++ # Allow us to ptrace ourselves
++ ptrace peer=@{profile_name},
++
++ # ignore DENIED message on / remount
++ deny mount options=(ro, remount) -> /,
++ deny mount options=(ro, remount, silent) -> /,
++
++ # allow tmpfs mounts everywhere
+ mount fstype=tmpfs,
++
++ # allow hugetlbfs mounts everywhere
++ mount fstype=hugetlbfs,
++
++ # allow mqueue mounts everywhere
+ mount fstype=mqueue,
++
++ # allow fuse mounts everywhere
+ mount fstype=fuse.*,
++
++ # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+ mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
++ deny @{PROC}/sys/fs/** wklx,
++
++ # allow efivars to be mounted, writing to it will be blocked though
+ mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
+- mount fstype=fusectl -> /sys/fs/fuse/connections/,
+- mount fstype=securityfs -> /sys/kernel/security/,
+- mount fstype=debugfs -> /sys/kernel/debug/,
+- mount fstype=proc -> /proc/,
+- mount fstype=sysfs -> /sys/,
+
+- deny @{PROC}/sys/fs/** wklx,
++ # block some other dangerous paths
+ deny @{PROC}/sysrq-trigger rwklx,
+ deny @{PROC}/mem rwklx,
+ deny @{PROC}/kmem rwklx,
+- deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
+- deny @{PROC}/sys/kernel/*/** wklx,
+
+- deny mount options=(ro, remount) -> /,
++ # deny writes in /sys except for /sys/fs/cgroup, also allow
++ # fusectl, securityfs and debugfs to be mounted there (read-only)
++ mount fstype=fusectl -> /sys/fs/fuse/connections/,
++ mount fstype=securityfs -> /sys/kernel/security/,
++ mount fstype=debugfs -> /sys/kernel/debug/,
+ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
+- deny mount fstype=devpts,
+-
+- deny /sys/[^f]*/** wklx,
+- deny /sys/f[^s]*/** wklx,
+- deny /sys/fs/[^c]*/** wklx,
+- deny /sys/fs/c[^g]*/** wklx,
+- deny /sys/fs/cg[^r]*/** wklx,
++ mount fstype=proc -> /proc/,
++ mount fstype=sysfs -> /sys/,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
++ mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
++
++ mount options=(rw nosuid nodev noexec remount) -> /sys/,
++ mount options=(rw remount) -> /sys/kernel/security/,
++ mount options=(rw remount) -> /sys/fs/pstore/,
++ mount options=(ro remount) -> /sys/fs/pstore/,
++
++ deny /proc/sys/[^kn]*{,/**} wklx,
++ deny /proc/sys/k[^e]*{,/**} wklx,
++ deny /proc/sys/ke[^r]*{,/**} wklx,
++ deny /proc/sys/ker[^n]*{,/**} wklx,
++ deny /proc/sys/kern[^e]*{,/**} wklx,
++ deny /proc/sys/kerne[^l]*{,/**} wklx,
++ deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
++ deny /proc/sys/kernel/d[^o]*{,/**} wklx,
++ deny /proc/sys/kernel/do[^m]*{,/**} wklx,
++ deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
++ deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
++ deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
++ deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
++ deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
++ deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
++ deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
++ deny /proc/sys/kernel/domainname?*{,/**} wklx,
++ deny /proc/sys/kernel/h[^o]*{,/**} wklx,
++ deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
++ deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
++ deny /proc/sys/kernel/host[^n]*{,/**} wklx,
++ deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
++ deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
++ deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
++ deny /proc/sys/kernel/hostname?*{,/**} wklx,
++ deny /proc/sys/kernel/m[^s]*{,/**} wklx,
++ deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
++ deny /proc/sys/kernel/msg*/** wklx,
++ deny /proc/sys/kernel/s[^he]*{,/**} wklx,
++ deny /proc/sys/kernel/se[^m]*{,/**} wklx,
++ deny /proc/sys/kernel/sem*/** wklx,
++ deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
++ deny /proc/sys/kernel/shm*/** wklx,
++ deny /proc/sys/kernel?*{,/**} wklx,
++ deny /proc/sys/n[^e]*{,/**} wklx,
++ deny /proc/sys/ne[^t]*{,/**} wklx,
++ deny /proc/sys/net?*{,/**} wklx,
++ deny /sys/[^fdc]*{,/**} wklx,
++ deny /sys/c[^l]*{,/**} wklx,
++ deny /sys/cl[^a]*{,/**} wklx,
++ deny /sys/cla[^s]*{,/**} wklx,
++ deny /sys/clas[^s]*{,/**} wklx,
++ deny /sys/class/[^n]*{,/**} wklx,
++ deny /sys/class/n[^e]*{,/**} wklx,
++ deny /sys/class/ne[^t]*{,/**} wklx,
++ deny /sys/class/net?*{,/**} wklx,
++ deny /sys/class?*{,/**} wklx,
++ deny /sys/d[^e]*{,/**} wklx,
++ deny /sys/de[^v]*{,/**} wklx,
++ deny /sys/dev[^i]*{,/**} wklx,
++ deny /sys/devi[^c]*{,/**} wklx,
++ deny /sys/devic[^e]*{,/**} wklx,
++ deny /sys/device[^s]*{,/**} wklx,
++ deny /sys/devices/[^v]*{,/**} wklx,
++ deny /sys/devices/v[^i]*{,/**} wklx,
++ deny /sys/devices/vi[^r]*{,/**} wklx,
++ deny /sys/devices/vir[^t]*{,/**} wklx,
++ deny /sys/devices/virt[^u]*{,/**} wklx,
++ deny /sys/devices/virtu[^a]*{,/**} wklx,
++ deny /sys/devices/virtua[^l]*{,/**} wklx,
++ deny /sys/devices/virtual/[^n]*{,/**} wklx,
++ deny /sys/devices/virtual/n[^e]*{,/**} wklx,
++ deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
++ deny /sys/devices/virtual/net?*{,/**} wklx,
++ deny /sys/devices/virtual?*{,/**} wklx,
++ deny /sys/devices?*{,/**} wklx,
++ deny /sys/f[^s]*{,/**} wklx,
++ deny /sys/fs/[^c]*{,/**} wklx,
++ deny /sys/fs/c[^g]*{,/**} wklx,
++ deny /sys/fs/cg[^r]*{,/**} wklx,
++ deny /sys/fs/cgr[^o]*{,/**} wklx,
++ deny /sys/fs/cgro[^u]*{,/**} wklx,
++ deny /sys/fs/cgrou[^p]*{,/**} wklx,
++ deny /sys/fs/cgroup?*{,/**} wklx,
++ deny /sys/fs?*{,/**} wklx,
+ }
+ `
+
--- End Message ---
signature.asc
