Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.10 backport] Fix AppArmor profile docker-default /proc/sys rule #45716

Merged
merged 1 commit into from
Jun 9, 2023
Merged

[20.10 backport] Fix AppArmor profile docker-default /proc/sys rule #45716

merged 1 commit into from
Jun 9, 2023

Conversation

ameyag
Copy link
Contributor

@ameyag ameyag commented Jun 8, 2023

Backport of #39792

@philsphicas @ameyag
Fix AppArmor profile docker-default /proc/sys rule
b1c04fc 
The current docker-default AppArmor profile intends to block write
access to everything in `/proc`, except for `/proc/<pid>` and
`/proc/sys/kernel/shm*`.

Currently the rules block access to everything in `/proc/sys`, and do
not successfully allow access to `/proc/sys/kernel/shm*`. Specifically,
a path like /proc/sys/kernel/shmmax matches this part of the pattern:

    deny @{PROC}/{[^1-9][^0-9][^0-9][^0-9]*     }/** w,
         /proc  / s     y     s     /     kernel /shmmax

This patch updates the rule so that it works as intended.

Closes moby#39791

Signed-off-by: Phil Sphicas <phil.sphicas@att.com>
(cherry picked from commit 66f14e4)
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
@thaJeztah thaJeztah added this to the 20.10.26 milestone Jun 8, 2023
thaJeztah
thaJeztah approved these changes Jun 8, 2023
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@corhere
Copy link
Contributor

corhere commented Jun 9, 2023

The test failure looks unrelated as it's also happening on branch builds.

[2023-06-09T13:59:20.892Z] === FAIL: amd64.integration-cli TestDockerDaemonSuite/TestDaemonNoSpaceLeftOnDeviceError (1.58s)
[2023-06-09T13:59:20.892Z]     docker_cli_daemon_test.go:1783: assertion failed: 
[2023-06-09T13:59:20.892Z]         Command:  /usr/local/cli/docker run --privileged --rm -v /tmp/no-space-left-on-device-test2409333128:/test:shared busybox sh -c mkdir -p /test/test-mount/vfs && mount -n -t ext4 /test/testfs.img /test/test-mount/vfs
[2023-06-09T13:59:20.892Z]         ExitCode: 2
[2023-06-09T13:59:20.892Z]         Error:    exit status 2
[2023-06-09T13:59:20.892Z]         Stdout:   
[2023-06-09T13:59:20.892Z]         Stderr:   mount: can't setup loop device: No such file or directory
[2023-06-09T13:59:20.892Z]         
[2023-06-09T13:59:20.892Z]         
[2023-06-09T13:59:20.892Z]         Failures:
[2023-06-09T13:59:20.892Z]         ExitCode was 2 expected 0
[2023-06-09T13:59:20.892Z]         Expected no error
[2023-06-09T13:59:20.892Z]     check_test.go:308: [d7487d9d4d75e] daemon is not started
[2023-06-09T13:59:20.892Z]     --- FAIL: TestDockerDaemonSuite/TestDaemonNoSpaceLeftOnDeviceError (1.58s)

@corhere corhere merged commit 1e57f01 into moby:20.10 Jun 9, 2023
1 of 2 checks passed
@ameyag ameyag deleted the 20.10-apparmor-template branch June 9, 2023 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corhere corhere corhere approved these changes

@neersighted neersighted neersighted approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees
No one assigned
Labels
area/security/apparmor impact/changelog status/2-code-review
Projects
None yet
Milestone
20.10.26
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ameyag @corhere @neersighted @thaJeztah @philsphicas