Hello community, here is the log from the commit of package docker-kubic for openSUSE:Factory checked in at 2018-05-04 11:30:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker-kubic (Old) and /work/SRC/openSUSE:Factory/.docker-kubic.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker-kubic" Fri May 4 11:30:38 2018 rev:8 rq:603685 version:17.09.1_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker-kubic/docker-kubic.changes 2018-04-13 12:51:41.531374376 +0200 +++ /work/SRC/openSUSE:Factory/.docker-kubic.new/docker-kubic.changes 2018-05-04 11:30:45.400999175 +0200 @@ -1,0 +2,7 @@ +Thu May 3 12:04:33 UTC 2018 - [email protected] + +- Add patch to handle AppArmor changes that make 'docker kill' stop working. + bsc#1073877 + + bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + +------------------------------------------------------------------- New: ---- bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker-kubic.spec ++++++ --- /var/tmp/diff_new_pack.HhHiWS/_old 2018-05-04 11:30:46.124972612 +0200 +++ /var/tmp/diff_new_pack.HhHiWS/_new 2018-05-04 11:30:46.124972612 +0200 @@ -71,6 +71,7 @@ # SUSE-FEATURE: Add support to mirror inofficial/private registries # (https://github.com/moby/moby/pull/34319) Patch500: private-registry-0001-Add-private-registry-mirror-support.patch +Patch501: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -218,6 +219,8 @@ %patch401 -p1 # PATCH-SUSE: Mirror patch. %patch500 -p1 +# bsc#1073877 +%patch501 -p1 cp %{SOURCE7} . cp %{SOURCE9} . ++++++ bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch ++++++ >From fb59d17b2617ebee34f91786428f63571a19bb74 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Sun, 8 Apr 2018 20:21:30 +1000 Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill' In newer kernels, AppArmor will reject attempts to send signals to a container because the signal originated from outside of that AppArmor profile. Correct this by allowing all unconfined signals to be received. SUSE-Bugs: bsc#1073877 boo#1089732 Signed-off-by: Goldwyn Rodrigues <[email protected]> Signed-off-by: Aleksa Sarai <[email protected]> --- components/engine/profiles/apparmor/template.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go index c5ea4584de6b..47c1b0659a15 100644 --- a/components/engine/profiles/apparmor/template.go +++ b/components/engine/profiles/apparmor/template.go @@ -17,6 +17,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { capability, file, umount, +{{if ge .Version 208096}} +{{/* Allow 'docker kill' to actually send signals to container processes. */}} + signal (receive) peer=unconfined, +{{end}} deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc/<number>/** or /proc/sys/** -- 2.16.3
