summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Mair-Keimberger <m.mairkeimberger@gmail.com>2019-04-24 19:32:02 +0200
committerAaron Bauman <bman@gentoo.org>2019-04-24 23:33:25 -0400
commite9c58a50e6e18182552a96b6f76dc86d6693ed54 (patch)
treeff4a121dbca3485c70698abbc382453f0b42b35b /app-emulation/docker
parentapp-crypt/mit-krb5: update patch for LibreSSL 2.9.1 (diff)
downloadgentoo-e9c58a50e6e18182552a96b6f76dc86d6693ed54.tar.gz
gentoo-e9c58a50e6e18182552a96b6f76dc86d6693ed54.tar.bz2
gentoo-e9c58a50e6e18182552a96b6f76dc86d6693ed54.zip
app-emulation/docker: remove unused patch(es)
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/11816 Signed-off-by: Aaron Bauman <bman@gentoo.org>
Diffstat (limited to 'app-emulation/docker')
-rw-r--r--app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch72
1 files changed, 0 insertions, 72 deletions
diff --git a/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch b/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch
deleted file mode 100644
index fd365425fb95..000000000000
--- a/app-emulation/docker/files/bsc1073877-docker-apparmor-add-signal-r2.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 4822fb1e2423d88cdf0ad5d039b8fd3274b05401 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Sun, 8 Apr 2018 20:21:30 +1000
-Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill'
-
-In newer kernels, AppArmor will reject attempts to send signals to a
-container because the signal originated from outside of that AppArmor
-profile. Correct this by allowing all unconfined signals to be received.
-
-Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- profiles/apparmor/apparmor.go | 21 +++++++++++++++++++++
- profiles/apparmor/template.go | 6 ++++++
- 2 files changed, 27 insertions(+)
-
-diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go
-index b021668c8e4c..2f58ee852cab 100644
---- a/components/engine/profiles/apparmor/apparmor.go
-+++ b/components/engine/profiles/apparmor/apparmor.go
-@@ -23,6 +23,8 @@ var (
- type profileData struct {
- // Name is profile name.
- Name string
-+ // DaemonProfile is the profile name of our daemon.
-+ DaemonProfile string
- // Imports defines the apparmor functions to import, before defining the profile.
- Imports []string
- // InnerImports defines the apparmor functions to import in the profile.
-@@ -70,6 +72,25 @@ func InstallDefault(name string) error {
- Name: name,
- }
-
-+ // Figure out the daemon profile.
-+ currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
-+ if err != nil {
-+ // If we couldn't get the daemon profile, assume we are running
-+ // unconfined which is generally the default.
-+ currentProfile = nil
-+ }
-+ daemonProfile := string(currentProfile)
-+ // Normally profiles are suffixed by " (enforcing)" or similar. AppArmor
-+ // profiles cannot contain spaces so this doesn't restrict daemon profile
-+ // names.
-+ if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 {
-+ daemonProfile = parts[0]
-+ }
-+ if daemonProfile == "" {
-+ daemonProfile = "unconfined"
-+ }
-+ p.DaemonProfile = daemonProfile
-+
- // Install to a temporary directory.
- f, err := ioutil.TempFile("", name)
- if err != nil {
-diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
-index c00a3f70e993..400b3bd50a11 100644
---- a/components/engine/profiles/apparmor/template.go
-+++ b/components/engine/profiles/apparmor/template.go
-@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
- capability,
- file,
- umount,
-+{{if ge .Version 208096}}
-+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
-+ signal (receive) peer={{.DaemonProfile}},
-+{{/* Allow container processes to send signals amongst themselves. */}}
-+ signal (send,receive) peer={{.Name}},
-+{{end}}
-
- deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
- # deny write to files not in /proc/<number>/** or /proc/sys/**