Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2023-10-12 23:39:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new.1807 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Thu Oct 12 23:39:14 2023 rev:139 rq:1116896 version:24.0.6_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2023-09-14 16:27:11.081838083 +0200 +++ /work/SRC/openSUSE:Factory/.docker.new.1807/docker.changes 2023-10-12 23:39:43.435717146 +0200 @@ -1,0 +2,12 @@ +Wed Oct 11 10:32:43 UTC 2023 - Aleksa Sarai <asa...@suse.com> + +- Add a patch to fix apparmor on SLE-12, reverting the upstream removal of + version-specific templating for the default apparmor profile. bsc#1213500 + + 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch +- Rebase patches: + * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch + * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + +------------------------------------------------------------------- New: ---- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.wdu9To/_old 2023-10-12 23:39:44.267747264 +0200 +++ /var/tmp/diff_new_pack.wdu9To/_new 2023-10-12 23:39:44.267747264 +0200 @@ -67,7 +67,9 @@ # UPSTREAM: Revert of upstream patch to keep SLE-12 build working. Patch200: 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch # UPSTREAM: Backport of <https://github.com/moby/moby/pull/41954>. -Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +Patch201: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +# UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12. +Patch202: 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch # UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>. Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch BuildRequires: audit @@ -215,7 +217,9 @@ %patch200 -p1 %endif # bsc#1099277 -%patch300 -p1 +%patch201 -p1 +# Solves apparmor issues on SLE-12, but okay for newer SLE versions too. +%patch202 -p1 %build %sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf ++++++ 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch ++++++ --- /var/tmp/diff_new_pack.wdu9To/_old 2023-10-12 23:39:44.295748277 +0200 +++ /var/tmp/diff_new_pack.wdu9To/_new 2023-10-12 23:39:44.299748422 +0200 @@ -1,7 +1,7 @@ From 2dedd52de834525fa533aba7854b91fdc783d821 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 1/4] SECRETS: daemon: allow directory creation in /run/secrets +Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore implementation to return secrets that are actually directories. This is ++++++ 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch ++++++ --- /var/tmp/diff_new_pack.wdu9To/_old 2023-10-12 23:39:44.311748856 +0200 +++ /var/tmp/diff_new_pack.wdu9To/_new 2023-10-12 23:39:44.311748856 +0200 @@ -1,7 +1,7 @@ From bd4c072521bdee906febc98d81ac092fcad8fc3b Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 2/4] SECRETS: SUSE: implement SUSE container secrets +Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. ++++++ 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch ++++++ --- /var/tmp/diff_new_pack.wdu9To/_old 2023-10-12 23:39:44.327749435 +0200 +++ /var/tmp/diff_new_pack.wdu9To/_new 2023-10-12 23:39:44.331749580 +0200 @@ -1,7 +1,7 @@ From fd0172ba27352f397ce7ff05d5dd1ec6c80054e5 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Mon, 22 May 2023 15:44:54 +1000 -Subject: [PATCH 3/4] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI +Subject: [PATCH 3/5] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI headers" This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d. ++++++ 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch ++++++ --- /var/tmp/diff_new_pack.wdu9To/_old 2023-10-12 23:39:44.343750014 +0200 +++ /var/tmp/diff_new_pack.wdu9To/_new 2023-10-12 23:39:44.347750159 +0200 @@ -1,7 +1,7 @@ From c19fad9e09248bf390fe9b2cd38f351104f186b8 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH 4/4] bsc1073877: apparmor: clobber docker-default profile on +Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, ++++++ 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch ++++++ >From 69790a375a38aca33a81c9b88aece9a0efd79726 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 11 Oct 2023 21:19:12 +1100 Subject: [PATCH 5/5] SLE12: revert "apparmor: remove version-conditionals from template" This reverts the following commits: * 7008a514493a ("profiles/apparmor: remove version-conditional constraints (< 2.8.96)") * 2e19a4d56bf2 ("contrib/apparmor: remove version-conditionals (< 2.9) from template") * d169a5730649 ("contrib/apparmor: remove remaining version-conditionals (< 2.9) from template") * ecaab085db4b ("profiles/apparmor: remove use of aaparser.GetVersion()") * e3e715666f95 ("pkg/aaparser: deprecate GetVersion, as it's no longer used") These version conditionals are still required on SLE 12, where our apparmor_parser version is quite old. Signed-off-by: Aleksa Sarai <cyp...@cyphar.com> --- contrib/apparmor/main.go | 16 ++++++++++++++-- contrib/apparmor/template.go | 16 ++++++++++++++++ pkg/aaparser/aaparser.go | 2 -- profiles/apparmor/apparmor.go | 14 ++++++++++++-- profiles/apparmor/template.go | 4 ++++ 5 files changed, 46 insertions(+), 6 deletions(-) diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go index d67890d265de..f4a2978b86cb 100644 --- a/contrib/apparmor/main.go +++ b/contrib/apparmor/main.go @@ -6,9 +6,13 @@ import ( "os" "path" "text/template" + + "github.com/docker/docker/pkg/aaparser" ) -type profileData struct{} +type profileData struct { + Version int +} func main() { if len(os.Args) < 2 { @@ -18,6 +22,15 @@ func main() { // parse the arg apparmorProfilePath := os.Args[1] + version, err := aaparser.GetVersion() + if err != nil { + log.Fatal(err) + } + data := profileData{ + Version: version, + } + fmt.Printf("apparmor_parser is of version %+v\n", data) + // parse the template compiled, err := template.New("apparmor_profile").Parse(dockerProfileTemplate) if err != nil { @@ -35,7 +48,6 @@ func main() { } defer f.Close() - data := profileData{} if err := compiled.Execute(f, data); err != nil { log.Fatalf("executing template failed: %v", err) } diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go index 58afcbe845ee..e6d0b6d37c58 100644 --- a/contrib/apparmor/template.go +++ b/contrib/apparmor/template.go @@ -20,9 +20,11 @@ profile /usr/bin/docker (attach_disconnected, complain) { umount, pivot_root, +{{if ge .Version 209000}} signal (receive) peer=@{profile_name}, signal (receive) peer=unconfined, signal (send), +{{end}} network, capability, owner /** rw, @@ -45,10 +47,12 @@ profile /usr/bin/docker (attach_disconnected, complain) { /etc/ld.so.cache r, /etc/passwd r, +{{if ge .Version 209000}} ptrace peer=@{profile_name}, ptrace (read) peer=docker-default, deny ptrace (trace) peer=docker-default, deny ptrace peer=/usr/bin/docker///bin/ps, +{{end}} /usr/lib/** rm, /lib/** rm, @@ -69,9 +73,11 @@ profile /usr/bin/docker (attach_disconnected, complain) { /sbin/zfs rCx, /sbin/apparmor_parser rCx, +{{if ge .Version 209000}} # Transitions change_profile -> docker-*, change_profile -> unconfined, +{{end}} profile /bin/cat (complain) { /etc/ld.so.cache r, @@ -93,8 +99,10 @@ profile /usr/bin/docker (attach_disconnected, complain) { /dev/null rw, /bin/ps mr, +{{if ge .Version 209000}} # We don't need ptrace so we'll deny and ignore the error. deny ptrace (read, trace), +{{end}} # Quiet dac_override denials deny capability dac_override, @@ -112,11 +120,15 @@ profile /usr/bin/docker (attach_disconnected, complain) { /proc/tty/drivers r, } profile /sbin/iptables (complain) { +{{if ge .Version 209000}} signal (receive) peer=/usr/bin/docker, +{{end}} capability net_admin, } profile /sbin/auplink flags=(attach_disconnected, complain) { +{{if ge .Version 209000}} signal (receive) peer=/usr/bin/docker, +{{end}} capability sys_admin, capability dac_override, @@ -135,7 +147,9 @@ profile /usr/bin/docker (attach_disconnected, complain) { /proc/[0-9]*/mounts rw, } profile /sbin/modprobe /bin/kmod (complain) { +{{if ge .Version 209000}} signal (receive) peer=/usr/bin/docker, +{{end}} capability sys_module, /etc/ld.so.cache r, /lib/** rm, @@ -149,7 +163,9 @@ profile /usr/bin/docker (attach_disconnected, complain) { } # xz works via pipes, so we do not need access to the filesystem. profile /usr/bin/xz (complain) { +{{if ge .Version 209000}} signal (receive) peer=/usr/bin/docker, +{{end}} /etc/ld.so.cache r, /lib/** rm, /usr/bin/xz rm, diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go index 3d7c2c5a97b3..2b5a2605f9c1 100644 --- a/pkg/aaparser/aaparser.go +++ b/pkg/aaparser/aaparser.go @@ -13,8 +13,6 @@ const ( ) // GetVersion returns the major and minor version of apparmor_parser. -// -// Deprecated: no longer used, and will be removed in the next release. func GetVersion() (int, error) { output, err := cmd("", "--version") if err != nil { diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go index d0f236160506..b3566b2f7354 100644 --- a/profiles/apparmor/apparmor.go +++ b/profiles/apparmor/apparmor.go @@ -14,8 +14,10 @@ import ( "github.com/docker/docker/pkg/aaparser" ) -// profileDirectory is the file store for apparmor profiles and macros. -const profileDirectory = "/etc/apparmor.d" +var ( + // profileDirectory is the file store for apparmor profiles and macros. + profileDirectory = "/etc/apparmor.d" +) // profileData holds information about the given profile for generation. type profileData struct { @@ -27,6 +29,8 @@ type profileData struct { Imports []string // InnerImports defines the apparmor functions to import in the profile. InnerImports []string + // Version is the {major, minor, patch} version of apparmor_parser as a single number. + Version int } // generateDefault creates an apparmor profile from ProfileData. @@ -46,6 +50,12 @@ func (p *profileData) generateDefault(out io.Writer) error { p.InnerImports = append(p.InnerImports, "#include <abstractions/base>") } + ver, err := aaparser.GetVersion() + if err != nil { + return err + } + p.Version = ver + return compiled.Execute(out, p) } diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go index 5dcf35bf45c7..ed5892a7f6bd 100644 --- a/profiles/apparmor/template.go +++ b/profiles/apparmor/template.go @@ -24,12 +24,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { capability, file, umount, +{{if ge .Version 208096}} # Host (privileged) processes may send signals to container processes. signal (receive) peer=unconfined, # dockerd may send signals to container processes (for "docker kill"). signal (receive) peer={{.DaemonProfile}}, # Container processes may send signals amongst themselves. signal (send,receive) peer={{.Name}}, +{{end}} deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc/<number>/** or /proc/sys/** @@ -49,7 +51,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { deny /sys/firmware/** rwklx, deny /sys/kernel/security/** rwklx, +{{if ge .Version 208095}} # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read,tracedby,readby) peer={{.Name}}, +{{end}} } ` -- 2.42.0
