From f628f2f8be9629369f2fd0304f55cac775b1966a Mon Sep 17 00:00:00 2001
From: Joel Hansson <joel.hansson@ecraft.com>
Date: Thu, 3 Dec 2015 09:57:58 +0100
Subject: [PATCH] Enable ptrace in a container on apparmor below 2.9

Ubuntu 14.04 LTS is on apparmor 2.8.95.
This enables `ps` inside a container without causing
audit log entries on the host.

Signed-off-by: Joel Hansson <joel.hansson@ecraft.com>
Upstream-commit: 6480feb7668851d3878bf36eedc5fd8ffa789e25
Component: engine
---
 components/engine/daemon/execdriver/native/apparmor.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/components/engine/daemon/execdriver/native/apparmor.go b/components/engine/daemon/execdriver/native/apparmor.go
index 87c1aeaadb..dffc6d3e13 100644
--- a/components/engine/daemon/execdriver/native/apparmor.go
+++ b/components/engine/daemon/execdriver/native/apparmor.go
@@ -60,12 +60,13 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
+{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+{{end}}{{end}}
 {{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
   # docker daemon confinement requires explict allow rule for signal
   signal (receive) set=(kill,term) peer={{.ExecPath}},
-
-  # suppress ptrace denails when using 'docker ps'
-  ptrace (trace,read) peer=docker-default,
 {{end}}{{end}}
 }
 `