Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2019-12-18 14:43:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new.4691 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Wed Dec 18 14:43:18 2019 rev:99 rq:756079 version:19.03.5_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2019-12-11 12:03:22.136784677 +0100 +++ /work/SRC/openSUSE:Factory/.docker.new.4691/docker.changes 2019-12-18 14:46:26.281887013 +0100 @@ -1,0 +2,11 @@ +Thu Dec 12 13:27:21 UTC 2019 - Aleksa Sarai <[email protected]> + +- Add backport of https://github.com/docker/docker/pull/39121. bsc#1122469 + + bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch + +------------------------------------------------------------------- +Wed Dec 11 23:55:40 UTC 2019 - Aleksa Sarai <[email protected]> + +- Support older SLE systems which don't have "usermod -w -v". + +------------------------------------------------------------------- @@ -67 +78,2 @@ - /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1142160 CVE-2019-13509 + /usr/share/doc/packages/docker/CHANGELOG.md. + * Includes fixes for CVE-2019-13509 bsc#1142160. @@ -148,0 +161,2 @@ + * Includes fix for CVE-2018-10892 bsc#1100331. + * Includes fix for CVE-2018-20699 bsc#1121768. New: ---- bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.PMgLqi/_old 2019-12-18 14:46:27.581887608 +0100 +++ /var/tmp/diff_new_pack.PMgLqi/_new 2019-12-18 14:46:27.581887608 +0100 @@ -77,10 +77,12 @@ # branch in http://github.com/suse/docker.mirror. Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch +# SUSE-ISSUE: Revert of https://github.com/docker/docker/pull/37907. +Patch300: packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch # SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1099277 Patch401: bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch -# SUSE-ISSUE: Revert of https://github.com/docker/docker/pull/37907. -Patch402: packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch +# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/39121. bsc#1122469 +Patch402: bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch # SUSE-FEATURE: Add support to mirror inofficial/private registries # (https://github.com/docker/docker/pull/34319) Patch500: private-registry-0001-Add-private-registry-mirror-support.patch @@ -255,9 +257,11 @@ %patch200 -p1 %patch201 -p1 %endif +# revert upstream +%patch300 -p1 # bsc#1099277 %patch401 -p1 -# revert upstream +# bsc#1122469 %patch402 -p1 %if "%flavour" == "kubic" # PATCH-SUSE: Mirror patch. @@ -419,12 +423,21 @@ # used for --userns-remap=default. getent passwd dockremap >/dev/null || \ useradd -Ur -p '!' -s /bin/false -c 'docker --userns-remap=default' dockremap + +# /etc/sub[ug]id should exist already (it's part of shadow-utils), but older +# distros don't have it. Docker just parses it and doesn't need any special +# shadow-utils helpers. +touch /etc/subuid /etc/subgid ||: + # "useradd -r" doesn't add sub[ug]ids so we manually add some. Hopefully there # aren't any conflicts here, because usermod doesn't provide the same "get # unusued range" feature that dockremap does. -touch /etc/sub{uid,gid} -grep -q '^dockremap:' /etc/sub{uid,gid} || \ - usermod -v 100000000-200000000 -w 100000000-200000000 dockremap +grep -q '^dockremap:' /etc/subuid || \ + usermod -v 100000000-200000000 dockremap &>/dev/null || \ + echo "dockremap:100000000:100000001" >>/etc/subuid ||: +grep -q '^dockremap:' /etc/subgid || \ + usermod -w 100000000-200000000 dockremap &>/dev/null || \ + echo "dockremap:100000000:100000001" >>/etc/subgid ||: %service_add_pre %{realname}.service ++++++ bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch ++++++ >From cb676052272ed4f6f3b901dbc21510fabf742860 Mon Sep 17 00:00:00 2001 From: Goldwyn Rodrigues <[email protected]> Date: Mon, 22 Apr 2019 09:08:28 -0500 Subject: [PATCH] apparmor: allow readby and tracedby Fixes audit errors such as: type=AVC msg=audit(1550236803.810:143): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3181 comm="ps" requested_mask="readby" denied_mask="readby" peer="docker-default" audit(1550236375.918:3): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=2267 comm="ps" requested_mask="tracedby" denied_mask="tracedby" peer="docker-default" SUSE-Bugs: bsc#1122469 Signed-off-by: Goldwyn Rodrigues <[email protected]> Signed-off-by: Aleksa Sarai <[email protected]> --- components/engine/profiles/apparmor/template.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go index 400b3bd50a11..d8db0ee2fb36 100644 --- a/components/engine/profiles/apparmor/template.go +++ b/components/engine/profiles/apparmor/template.go @@ -44,7 +44,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { {{if ge .Version 208095}} # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container - ptrace (trace,read) peer={{.Name}}, + ptrace (trace,read,tracedby,readby) peer={{.Name}}, {{end}} } ` -- 2.24.0
