Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

interfaces/docker-support: add exec "/bin/runc" #7090

Closed
wants to merge 1 commit into from
Closed

interfaces/docker-support: add exec "/bin/runc" #7090

wants to merge 1 commit into from

Conversation

tianon
Copy link
Contributor

@tianon tianon commented Jul 10, 2019

Newer runC applied further improvements to their CVE-2019-5736 mitigation in opencontainers/runc#1984 which change the nature of our apparmor denial from / to /bin/runc (which I have also commented on https://bugs.launchpad.net/apparmor/+bug/1820344 about).

See also #6610.

cc @anonymouse64

@bboozzoo bboozzoo requested a review from jdstrand July 11, 2019 06:40
mvo5
mvo5 approved these changes Jul 11, 2019
View reviewed changes
Copy link
Contributor

@mvo5 mvo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but needs an ACK from jdstrand too.

@anonymouse64
Copy link
Contributor

@tianon it looks like the CLA failed, can you repush with an email that has signed the CLA or sign the CLA with your new email?

anonymouse64
anonymouse64 approved these changes Jul 11, 2019
View reviewed changes
Copy link
Contributor

@anonymouse64 anonymouse64 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I tested it with the edge channel of the docker snap and containers were runnable with:

$ sudo snap install docker --edge
$ sudo docker run -it --rm bash

Still needs review from @jdstrand though as @mvo5 points out

jdstrand
jdstrand approved these changes Jul 11, 2019
View reviewed changes
Copy link

@jdstrand jdstrand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jdstrand jdstrand changed the title interfaces/builtin: add exec "/bin/runc" to docker-support interfaces/docker-support: add exec "/bin/runc" Jul 11, 2019
@tianon
Copy link
Contributor Author

tianon commented Jul 11, 2019

Welp, I signed the CLA and rebased/force pushed to force a recheck but it still comes back rejected. 😕

zyga
zyga approved these changes Jul 12, 2019
View reviewed changes
Copy link
Contributor

@zyga zyga left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, I'll monitor the CLA situation.

@tianon
interfaces/builtin: add exec "/bin/runc" to docker-support
1c496d5 
Newer runC applied further improvements to their CVE-2019-5736 mitigation in opencontainers/runc#1984 which change the nature of our apparmor denial from `/` to `/bin/runc` (which I have also commented on https://bugs.launchpad.net/apparmor/+bug/1820344 about).

See also canonical#6610.

Signed-off-by: Tianon Gravi <tianon@debian.org>
@tianon
Copy link
Contributor Author

tianon commented Jul 12, 2019

As a hail mary I rebased and force pushed again to trigger the CLA check again (hoping perhaps something just needed to propagate) and still no dice. 😕

@anonymouse64
Copy link
Contributor

@tianon in the interest of time, are you okay if I open a new PR with your change committed from me?

@tianon
Copy link
Contributor Author

tianon commented Jul 12, 2019

Absolutely!

@anonymouse64 anonymouse64 mentioned this pull request Jul 12, 2019
Merged
@jdstrand
Copy link

#7106 is the new PR. Closing this one.

@jdstrand jdstrand closed this Jul 12, 2019
@tianon tianon deleted the runc-1984 branch August 12, 2019 23:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anonymouse64 anonymouse64 anonymouse64 approved these changes

@jdstrand jdstrand jdstrand approved these changes

@mvo5 mvo5 mvo5 approved these changes

@zyga zyga zyga approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tianon @anonymouse64 @jdstrand @zyga @mvo5