From d83e2238793fe9aba9cc66547929ad32baa228d7 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Mon, 12 Oct 2015 10:41:18 -0400
Subject: [PATCH] Policy extensions for user namespaces and docker exec

A few additions to the policy when running with user namespaces enabled
and when running 'docker exec'.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Upstream-commit: 6079d9d6a3b63fa8d9aa7a3981c6c37cc435bccb
Component: engine
---
 components/engine/contrib/apparmor/template.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/components/engine/contrib/apparmor/template.go b/components/engine/contrib/apparmor/template.go
index 49c950e8e1..eb3cb76f1f 100644
--- a/components/engine/contrib/apparmor/template.go
+++ b/components/engine/contrib/apparmor/template.go
@@ -33,14 +33,19 @@ profile /usr/bin/docker (attach_disconnected, complain) {
   @{DOCKER_GRAPH_PATH}/linkgraph.db k,
   @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,
   @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k,
+  @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/linkgraph.db k,
 
   # For non-root client use:
   /dev/urandom r,
+  /dev/null rw,
+  /dev/pts/[0-9]* rw,
   /run/docker.sock rw,
   /proc/** r,
+  /proc/[0-9]*/attr/exec w,
   /sys/kernel/mm/hugepages/ r,
   /etc/localtime r,
   /etc/ld.so.cache r,
+  /etc/passwd r,
 
 {{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
   ptrace peer=@{profile_name},