From 5f1dee3348a18fe85a07421cca455ffff639bd14 Mon Sep 17 00:00:00 2001
From: Ian Johnson <ian.johnson@canonical.com>
Date: Fri, 12 Jul 2019 16:29:58 -0500
Subject: [PATCH] interfaces/builtin: add exec "/bin/runc" to docker-support

Newer runC applied further improvements to their CVE-2019-5736 mitigation in opencontainers/runc#1984 which change the nature of our apparmor denial from `/` to `/bin/runc` (which I have also commented on https://bugs.launchpad.net/apparmor/+bug/1820344 about).

See also #6610.

(originally from Tianon Gravi, but re-committed due to CLA issues with the PR checks)

Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
---
 interfaces/builtin/docker_support.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/interfaces/builtin/docker_support.go b/interfaces/builtin/docker_support.go
index 349c2f21bb1b..481ae35a7e40 100644
--- a/interfaces/builtin/docker_support.go
+++ b/interfaces/builtin/docker_support.go
@@ -157,6 +157,7 @@ ptrace (read, trace) peer=docker-default,
 # needed by runc for mitigation of CVE-2019-5736
 # For details see https://bugs.launchpad.net/apparmor/+bug/1820344
 / ix,
+/bin/runc rix,
 `
 
 const dockerSupportConnectedPlugSecComp = `