interfaces/builtin: add exec "/bin/runc" to docker-support

anonymouse64 · anonymouse64 · commit 5f1dee3348a1 · 2019-07-12T16:29:58.000-05:00
Newer runC applied further improvements to their CVE-2019-5736 mitigation in opencontainers/runc#1984 which change the nature of our apparmor denial from `/` to `/bin/runc` (which I have also commented on https://bugs.launchpad.net/apparmor/+bug/1820344 about). See also canonical#6610. (originally from Tianon Gravi, but re-committed due to CLA issues with the PR checks) Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
diff --git a/interfaces/builtin/docker_support.go b/interfaces/builtin/docker_support.go
@@ -157,6 +157,7 @@ ptrace (read, trace) peer=docker-default,
 # needed by runc for mitigation of CVE-2019-5736
 # For details see https://bugs.launchpad.net/apparmor/+bug/1820344
 / ix,
+/bin/runc rix,
 `
 
 const dockerSupportConnectedPlugSecComp = `

Original file line number	Diff line number	Diff line change
`@@ -157,6 +157,7 @@ ptrace (read, trace) peer=docker-default,`
`157`	`157`	`# needed by runc for mitigation of CVE-2019-5736`
`158`	`158`	`# For details see https://bugs.launchpad.net/apparmor/+bug/1820344`
`159`	`159`	`/ ix,`
	`160`	`+/bin/runc rix,`
`160`	`161`	`
`161`	`162`
`162`	`163`	const dockerSupportConnectedPlugSecComp = `