docker-cli

Files

Sebastiaan van Stijn d8bfd4004a Fix AppArmor not being applied to Exec processes

Exec processes do not automatically inherit AppArmor
profiles from the container.

This patch sets the AppArmor profile for the exec
process.

Before this change:

    apparmor_parser -q -r <<EOF
    #include <tunables/global>
    profile deny-write flags=(attach_disconnected) {
      #include <abstractions/base>
      file,
      network,
      deny /tmp/** w,
      capability,
    }
    EOF

    docker run -dit --security-opt "apparmor=deny-write" --name aa busybox

    docker exec aa sh -c 'mkdir /tmp/test'
    (no error)

With this change applied:

    docker exec aa sh -c 'mkdir /tmp/test'
    mkdir: can't create directory '/tmp/test': Permission denied

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8f3308ae10ec9ad0dd4edfb46fde53a0e1e19b34)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

2018-03-20 10:13:17 +01:00

caps

Add canonical import comment

2018-02-05 16:51:57 -05:00

cluster

Fix to address regression caused by PR 30897

2018-03-06 13:42:37 +01:00

config

Add canonical import comment

2018-02-05 16:51:57 -05:00

discovery

Add canonical import comment

2018-02-05 16:51:57 -05:00

events

Add canonical import comment

2018-02-05 16:51:57 -05:00

exec

Add canonical import comment

2018-02-05 16:51:57 -05:00

graphdriver

Merge pull request #35829 from cpuguy83/no_private_mount_for_plugins

2018-02-21 12:28:13 +01:00

initlayer

Add canonical import comment

2018-02-05 16:51:57 -05:00

links

Add canonical import comment

2018-02-05 16:51:57 -05:00

listeners

Add canonical import comment

2018-02-05 16:51:57 -05:00

logger

Merge pull request #35829 from cpuguy83/no_private_mount_for_plugins

2018-02-21 12:28:13 +01:00

names

Add canonical import comment

2018-02-05 16:51:57 -05:00

network

Add canonical import comment

2018-02-05 16:51:57 -05:00

stats

Add canonical import comment

2018-02-05 16:51:57 -05:00

testdata

Remove libtrust dep from api

2017-09-06 12:05:19 -04:00

apparmor_default_unsupported.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

apparmor_default.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

archive_tarcopyoptions_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

archive_tarcopyoptions_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

archive_tarcopyoptions.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

archive_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

archive_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

archive.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

attach.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

auth.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

bindmount_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

build.go

builder: fix layer lifecycle leak

2018-03-05 14:11:22 -08:00

cache.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

changes.go

c.RWLayer: check for nil before use

2018-02-09 11:24:09 -08:00

checkpoint.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

cluster.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

commit.go

Use TagImage in Commit

2018-02-09 20:53:39 -05:00

configs_linux.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

configs_unsupported.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

configs_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

configs.go

Merge configs/secrets in unix implementation

2018-02-16 11:25:14 -05:00

container_linux.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

container_operations_unix.go

Merge configs/secrets in unix implementation

2018-02-16 11:25:14 -05:00

container_operations_windows.go

Merge configs/secrets in unix implementation

2018-02-16 11:25:14 -05:00

container_operations.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

container_unix_test.go

Display a warn message when there is binding ports and net mode is host

2018-02-18 13:28:44 +00:00

container_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

container.go

Merge pull request #35510 from ripcurld0/fix_35500

2018-02-19 08:57:36 +01:00

create_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

create_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

create_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

create.go

Remove unnecessary getLayerInit

2018-02-14 11:59:10 -05:00

daemon_linux_test.go

Ensure daemon root is unmounted on shutdown

2018-02-15 15:58:20 -05:00

daemon_linux.go

Ensure daemon root is unmounted on shutdown

2018-02-15 15:58:20 -05:00

daemon_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

daemon_unix_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

daemon_unix.go

Remove duplicate rootFSToAPIType

2018-02-14 11:59:18 -05:00

daemon_unsupported.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

daemon_windows_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

daemon_windows.go

Remove duplicate rootFSToAPIType

2018-02-14 11:59:18 -05:00

daemon.go

Merge pull request #36303 from dnephin/cleanup-in-daemon-unix

2018-02-16 14:55:18 -08:00

debugtrap_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

debugtrap_unsupported.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

debugtrap_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

delete_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

delete.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

dependency.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

disk_usage.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

errors.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

events_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

events.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

exec_linux_test.go

Fix AppArmor not being applied to Exec processes

2018-03-20 10:13:17 +01:00

exec_linux.go

Fix AppArmor not being applied to Exec processes

2018-03-20 10:13:17 +01:00

exec_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

exec.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

export.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

getsize_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

health_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

health.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

image_delete.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

image_exporter.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

image_history.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

image_inspect.go

Remove duplicate rootFSToAPIType

2018-02-14 11:59:18 -05:00

image_pull.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

image_push.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

image_tag.go

Use TagImage in Commit

2018-02-09 20:53:39 -05:00

image.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

images.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

import.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

info_unix_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

info_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

info_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

info.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

inspect_linux.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

inspect_test.go

c.RWLayer: check for nil before use

2018-02-09 11:24:09 -08:00

inspect_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

inspect.go

c.RWLayer: check for nil before use

2018-02-09 11:24:09 -08:00

keys_unsupported.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

keys.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

kill.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

links.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

list_test.go

Clean some cli-only integration tests

2018-02-19 11:19:19 +01:00

list_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

list_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

list.go

Test invalid filter and move validation on top

2018-02-15 16:24:26 +01:00

logdrivers_linux.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

logdrivers_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

logs_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

logs.go

Move log validator logic after plugins are loaded

2018-02-15 11:53:11 -05:00

metrics_unix.go

Merge pull request #35829 from cpuguy83/no_private_mount_for_plugins

2018-02-21 12:28:13 +01:00

metrics_unsupported.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

metrics.go

Merge pull request #35829 from cpuguy83/no_private_mount_for_plugins

2018-02-21 12:28:13 +01:00

monitor_linux.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

monitor_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

monitor.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

mounts.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

names.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

network.go

Delete the load balancer endpoint in Ingress nets

2018-03-14 12:12:32 +01:00

oci_linux_test.go

daemon/oci_linux_test: add TestIpcPrivateVsReadonly

2018-03-12 14:09:50 +01:00

oci_linux.go

daemon/setMounts(): do not make /dev/shm ro

2018-03-12 14:09:44 +01:00

oci_windows.go

Merge configs/secrets in unix implementation

2018-02-16 11:25:14 -05:00

pause.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

prune.go

Remove broken container check from image prune

2018-02-08 18:10:46 -05:00

reload_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

reload_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

reload_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

reload.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

rename.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

resize.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

restart.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

search_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

search.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

seccomp_disabled.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

seccomp_linux.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

seccomp_unsupported.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

secrets_linux.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

secrets_unsupported.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

secrets_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

secrets.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

selinux_linux.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

selinux_unsupported.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

start_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

start_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

start.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

stats_collector.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

stats_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

stats_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

stats.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

stop.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

top_unix_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

top_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

top_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

trustkey_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

trustkey.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

unpause.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

update_linux.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

update_windows.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

update.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

volumes_linux_test.go

Use rslave propagation for mounts from daemon root

2018-02-07 14:27:09 -05:00

volumes_linux.go

Use rslave propagation for mounts from daemon root

2018-02-07 14:27:09 -05:00

volumes_unit_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

volumes_unix_test.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

volumes_unix.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

volumes_windows.go

Merge pull request #36055 from cpuguy83/slave_mounts_for_root

2018-02-15 12:57:25 +01:00

volumes.go

Merge pull request #36055 from cpuguy83/slave_mounts_for_root

2018-02-15 12:57:25 +01:00

wait.go

Add canonical import comment

2018-02-05 16:51:57 -05:00

workdir.go

Add canonical import comment

2018-02-05 16:51:57 -05:00