Skip to content

Commit

Permalink
interfaces/builtin: add exec "/bin/runc" to docker-support
Browse files Browse the repository at this point in the history 
Newer runC applied further improvements to their CVE-2019-5736 mitigation in opencontainers/runc#1984 which change the nature of our apparmor denial from `/` to `/bin/runc` (which I have also commented on https://bugs.launchpad.net/apparmor/+bug/1820344 about).

See also canonical#6610.

Signed-off-by: Tianon Gravi <tianon@debian.org>
  • Loading branch information
@tianon
tianon committed Jul 11, 2019
1 parent 09fcbff commit cf76948
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions interfaces/builtin/docker_support.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,7 @@ ptrace (read, trace) peer=docker-default,
# needed by runc for mitigation of CVE-2019-5736
# For details see https://bugs.launchpad.net/apparmor/+bug/1820344
/bin/runc rix,
/ ix,
`

Expand Down

0 comments on commit cf76948

Please sign in to comment.