From 5832715052e9e165cc40a5ac8178fa62685985aa Mon Sep 17 00:00:00 2001
From: Eric Windisch <eric@windisch.us>
Date: Wed, 29 Jul 2015 16:57:14 -0400
Subject: [PATCH 1/2] Fix the proc integration test & include missing AA
 profile

Integration tests were failing due to proc filter behavior
changes with new apparmor policies.

Also include the missing docker-unconfined policy resolving
potential startup errors. This policy is complain-only so
it should behave identically to the standard unconfined policy,
but will not apply system path-based policies within containers.

Signed-off-by: Eric Windisch <eric@windisch.us>
---
 daemon/execdriver/native/apparmor.go   | 18 ++++++++++++++++++
 daemon/execdriver/native/create.go     |  2 +-
 integration-cli/docker_cli_run_test.go | 13 ++++++++++---
 3 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go
index ecbaf33510..254f0a2c40 100644
--- a/daemon/execdriver/native/apparmor.go
+++ b/daemon/execdriver/native/apparmor.go
@@ -40,6 +40,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   file,
   umount,
 
+  signal (receive) peer=/usr/bin/docker,
+  signal (receive) peer=docker-unconfined,
+
   deny @{PROC}/sys/fs/** wklx,
   deny @{PROC}/fs/** wklx,
   deny @{PROC}/sysrq-trigger rwklx,
@@ -60,6 +63,21 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
 }
+
+profile docker-unconfined flags=(attach_disconnected,mediate_deleted,complain) {
+  #include <abstractions/base>
+
+  network,
+  capability,
+  file,
+  umount,
+  mount,
+  pivot_root,
+  change_profile -> *,
+
+  ptrace,
+  signal,
+}
 `
 
 func generateProfile(out io.Writer) error {
diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go
index c7fc33d1d5..dc3eacf9af 100644
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@@ -198,7 +198,7 @@ func (d *Driver) setPrivileged(container *configs.Config) (err error) {
 	container.Devices = hostDevices
 
 	if apparmor.IsEnabled() {
-		container.AppArmorProfile = "unconfined"
+		container.AppArmorProfile = "docker-unconfined"
 	}
 
 	return nil
diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
index 1a51ff331b..761217bc1b 100644
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -2440,7 +2440,11 @@ func (s *DockerSuite) TestRunReadFilteredProc(c *check.C) {
 		name := fmt.Sprintf("procsieve-%d", i)
 		shellCmd := fmt.Sprintf("exec 3<%s", filePath)
 
-		if out, exitCode, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd); err == nil || exitCode == 0 {
+		out, exitCode, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
+		if exitCode != 0 {
+			return
+		}
+		if err != nil {
 			c.Fatalf("Open FD for read should have failed with permission denied, got: %s, %v", out, err)
 		}
 	}
@@ -2545,8 +2549,11 @@ func (s *DockerSuite) TestRunWriteFilteredProc(c *check.C) {
 		name := fmt.Sprintf("writeprocsieve-%d", i)
 
 		shellCmd := fmt.Sprintf("exec 3>%s", filePath)
-		runCmd := exec.Command(dockerBinary, "run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
-		if out, exitCode, err := runCommandWithOutput(runCmd); err == nil || exitCode == 0 {
+		out, code, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
+		if code != 0 {
+			return
+		}
+		if err != nil {
 			c.Fatalf("Open FD for write should have failed with permission denied, got: %s, %v", out, err)
 		}
 	}

From 0f4e5f71491abc0e7c4f4effe1f3c59aa9bf6a33 Mon Sep 17 00:00:00 2001
From: Eric Windisch <eric@windisch.us>
Date: Wed, 29 Jul 2015 17:45:32 -0400
Subject: [PATCH 2/2] Remove container AA profile from packaging

Signed-off-by: Eric Windisch <eric@windisch.us>
---
 hack/make/.build-deb/rules | 1 -
 hack/make/ubuntu           | 4 +---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/hack/make/.build-deb/rules b/hack/make/.build-deb/rules
index ae2defcc0b..be45676c1d 100755
--- a/hack/make/.build-deb/rules
+++ b/hack/make/.build-deb/rules
@@ -34,7 +34,6 @@ override_dh_installudev:
 
 override_dh_install:
 	dh_install
-	dh_apparmor --profile-name=docker -pdocker-engine
 	dh_apparmor --profile-name=docker-engine -pdocker-engine
 
 %:
diff --git a/hack/make/ubuntu b/hack/make/ubuntu
index 76c3f29053..24246da76a 100644
--- a/hack/make/ubuntu
+++ b/hack/make/ubuntu
@@ -74,8 +74,7 @@ bundle_ubuntu() {
 
 	# Include contributed apparmor policy
 	mkdir -p "$DIR/etc/apparmor.d/"
-	cp contrib/apparmor/docker "$DIR/etc/apparmor.d/"
-	cp contrib/apparmor/docker-engine "$DIR/etc/apparmor.d/"
+	cp contrib/apparmor/* "$DIR/etc/apparmor.d/"
 
 	# Copy the binary
 	# This will fail if the binary bundle hasn't been built
@@ -95,7 +94,6 @@ if [ "$1" = 'configure' ] && [ -z "$2" ]; then
 fi
 
 if ( aa-status --enabled ); then
-	/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker
 	/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker-engine
 fi