commit: e9c58a50e6e18182552a96b6f76dc86d6693ed54 Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com> AuthorDate: Wed Apr 24 17:32:02 2019 +0000 Commit: Aaron Bauman <bman <AT> gentoo <DOT> org> CommitDate: Thu Apr 25 03:33:25 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9c58a50
app-emulation/docker: remove unused patch(es) Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com> Closes: https://github.com/gentoo/gentoo/pull/11816 Signed-off-by: Aaron Bauman <bman <AT> gentoo.org> .../bsc1073877-docker-apparmor-add-signal-r2.patch | 72 ---------------------- 1 file changed, 72 deletions(-) diff --git a/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch b/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch deleted file mode 100644 index fd365425fb9..00000000000 --- a/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 4822fb1e2423d88cdf0ad5d039b8fd3274b05401 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai <asa...@suse.de> -Date: Sun, 8 Apr 2018 20:21:30 +1000 -Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill' - -In newer kernels, AppArmor will reject attempts to send signals to a -container because the signal originated from outside of that AppArmor -profile. Correct this by allowing all unconfined signals to be received. - -Signed-off-by: Goldwyn Rodrigues <rgold...@suse.com> -Signed-off-by: Aleksa Sarai <asa...@suse.de> ---- - profiles/apparmor/apparmor.go | 21 +++++++++++++++++++++ - profiles/apparmor/template.go | 6 ++++++ - 2 files changed, 27 insertions(+) - -diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go -index b021668c8e4c..2f58ee852cab 100644 ---- a/components/engine/profiles/apparmor/apparmor.go -+++ b/components/engine/profiles/apparmor/apparmor.go -@@ -23,6 +23,8 @@ var ( - type profileData struct { - // Name is profile name. - Name string -+ // DaemonProfile is the profile name of our daemon. -+ DaemonProfile string - // Imports defines the apparmor functions to import, before defining the profile. - Imports []string - // InnerImports defines the apparmor functions to import in the profile. -@@ -70,6 +72,25 @@ func InstallDefault(name string) error { - Name: name, - } - -+ // Figure out the daemon profile. -+ currentProfile, err := ioutil.ReadFile("/proc/self/attr/current") -+ if err != nil { -+ // If we couldn't get the daemon profile, assume we are running -+ // unconfined which is generally the default. -+ currentProfile = nil -+ } -+ daemonProfile := string(currentProfile) -+ // Normally profiles are suffixed by " (enforcing)" or similar. AppArmor -+ // profiles cannot contain spaces so this doesn't restrict daemon profile -+ // names. -+ if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 { -+ daemonProfile = parts[0] -+ } -+ if daemonProfile == "" { -+ daemonProfile = "unconfined" -+ } -+ p.DaemonProfile = daemonProfile -+ - // Install to a temporary directory. - f, err := ioutil.TempFile("", name) - if err != nil { -diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go -index c00a3f70e993..400b3bd50a11 100644 ---- a/components/engine/profiles/apparmor/template.go -+++ b/components/engine/profiles/apparmor/template.go -@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { - capability, - file, - umount, -+{{if ge .Version 208096}} -+{{/* Allow 'docker kill' to actually send signals to container processes. */}} -+ signal (receive) peer={{.DaemonProfile}}, -+{{/* Allow container processes to send signals amongst themselves. */}} -+ signal (send,receive) peer={{.Name}}, -+{{end}} - - deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) - # deny write to files not in /proc/<number>/** or /proc/sys/**
