From cf7694869a75a83893442ae59156a7a0ab53117c Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Wed, 10 Jul 2019 16:14:16 -0700
Subject: [PATCH] interfaces/builtin: add exec "/bin/runc" to docker-support

Newer runC applied further improvements to their CVE-2019-5736 mitigation in https://github.com/opencontainers/runc/pull/1984 which change the nature of our apparmor denial from `/` to `/bin/runc` (which I have also commented on https://bugs.launchpad.net/apparmor/+bug/1820344 about).

See also https://github.com/snapcore/snapd/pull/6610.

Signed-off-by: Tianon Gravi <tianon@debian.org>
---
 interfaces/builtin/docker_support.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/interfaces/builtin/docker_support.go b/interfaces/builtin/docker_support.go
index 349c2f21bb1b..bbc414b124b6 100644
--- a/interfaces/builtin/docker_support.go
+++ b/interfaces/builtin/docker_support.go
@@ -156,6 +156,7 @@ ptrace (read, trace) peer=docker-default,
 
 # needed by runc for mitigation of CVE-2019-5736
 # For details see https://bugs.launchpad.net/apparmor/+bug/1820344
+/bin/runc rix,
 / ix,
 `