Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2018-04-17 11:13:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Tue Apr 17 11:13:13 2018 rev:72 rq:595995 version:17.09.1_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2018-04-05 15:29:33.880658384 +0200 +++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes 2018-04-17 11:13:16.234359837 +0200 @@ -1,0 +2,13 @@ +Tue Apr 10 09:25:43 UTC 2018 - [email protected] + +- Add patch to handle AppArmor changes that make 'docker kill' stop working. + bsc#1073877 + + bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + +------------------------------------------------------------------- +Fri Apr 6 04:21:28 UTC 2018 - [email protected] + +- Fix manpage generation breaking ppc64le builds due to a missing + -buildemode=pie. + +------------------------------------------------------------------- New: ---- bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.Hwf7BQ/_old 2018-04-17 11:13:16.942326633 +0200 +++ /var/tmp/diff_new_pack.Hwf7BQ/_new 2018-04-17 11:13:16.946326445 +0200 @@ -66,6 +66,8 @@ Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173 Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877 +Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -194,6 +196,8 @@ %patch400 -p1 # bsc#1021227 bsc#1029320 bsc#1058173 %patch401 -p1 +# bsc#1073877 +%patch402 -p1 cp %{SOURCE7} . cp %{SOURCE9} . @@ -251,9 +255,8 @@ ./scripts/build/dynbinary mkdir -p ./man/man1 -go build -o gen-manpages github.com/docker/cli/man +go build -buildmode=pie -o gen-manpages github.com/docker/cli/man ./gen-manpages --root "$(pwd)" --target "$(pwd)/man/man1" -rm gen-manpages ./man/md2man-all.sh cd ../.. ++++++ bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch ++++++ >From c11493737b4a5ffd59d635650f3a0d45f220ad2b Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Sun, 8 Apr 2018 20:21:30 +1000 Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill' In newer kernels, AppArmor will reject attempts to send signals to a container because the signal originated from outside of that AppArmor profile. Correct this by allowing all unconfined signals to be received. SUSE-Bug: bsc#1073877 Signed-off-by: Goldwyn Rodrigues <[email protected]> Signed-off-by: Aleksa Sarai <[email protected]> --- components/engine/profiles/apparmor/template.go | 1 + 1 file changed, 1 insertion(+) diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go index c5ea4584de6b..4830ac440645 100644 --- a/components/engine/profiles/apparmor/template.go +++ b/components/engine/profiles/apparmor/template.go @@ -17,6 +17,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { capability, file, umount, + signal (receive) peer=unconfined, deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc/<number>/** or /proc/sys/** -- 2.16.3
