Skip to content

Commit

Permalink
interfaces/builtin: add exec "/bin/runc" to docker-support
Browse files Browse the repository at this point in the history 
Newer runC applied further improvements to their CVE-2019-5736 mitigation in opencontainers/runc#1984 which change the nature of our apparmor denial from `/` to `/bin/runc` (which I have also commented on https://bugs.launchpad.net/apparmor/+bug/1820344 about).

See also #6610.

(originally from Tianon Gravi, but re-committed due to CLA issues with the PR checks)

Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
  • Loading branch information
@anonymouse64 @mvo5
anonymouse64 authored and mvo5 committed Jul 15, 2019
1 parent c7e40b1 commit 311c029
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions interfaces/builtin/docker_support.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ ptrace (read, trace) peer=docker-default,
# needed by runc for mitigation of CVE-2019-5736
# For details see https://bugs.launchpad.net/apparmor/+bug/1820344
/ ix,
/bin/runc rix,
`

const dockerSupportConnectedPlugSecComp = `
Expand Down

0 comments on commit 311c029

Please sign in to comment.