From 264a89788c22e3c03805052bb43c232d7a285761 Mon Sep 17 00:00:00 2001
From: Michael Brown <michael@netdirect.ca>
Date: Mon, 7 Apr 2014 02:02:11 -0400
Subject: [PATCH 1/3] apparmor: docker-default: Include base abstraction

Encountered problems on 14.04 relating to signals between container
processes being blocked by apparmor. The base abstraction contains
appropriate rules to allow this communication.

Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
---
 libcontainer/apparmor/setup.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libcontainer/apparmor/setup.go b/libcontainer/apparmor/setup.go
index 4e1c951..cc786de 100644
--- a/libcontainer/apparmor/setup.go
+++ b/libcontainer/apparmor/setup.go
@@ -18,6 +18,7 @@ const DefaultProfile = `
 @{PROC}=/proc/
 
 profile docker-default flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
   network,
   capability,
   file,

From 0bcebe0347c7ce43dfc4a5cdbb4fa083dcd86d82 Mon Sep 17 00:00:00 2001
From: Michael Brown <michael@netdirect.ca>
Date: Mon, 7 Apr 2014 02:47:43 -0400
Subject: [PATCH 2/3] apparmor: abstractions/base expects pid variable

Add 'pid' variable pointing to 'self' to allow parsing of profile to succeed

Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
---
 libcontainer/apparmor/setup.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libcontainer/apparmor/setup.go b/libcontainer/apparmor/setup.go
index cc786de..d9deec4 100644
--- a/libcontainer/apparmor/setup.go
+++ b/libcontainer/apparmor/setup.go
@@ -16,6 +16,7 @@ const DefaultProfile = `
 #@{HOMEDIRS}+=
 @{multiarch}=*-linux-gnu*
 @{PROC}=/proc/
+@{pid}=self
 
 profile docker-default flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>

From 7c63627a7f29289cea7d1e9e6705628c102e960c Mon Sep 17 00:00:00 2001
From: Michael Brown <michael@netdirect.ca>
Date: Mon, 7 Apr 2014 03:04:27 -0400
Subject: [PATCH 3/3] apparmor: pull in variables from tunables/global

The variables that were defined at the top of the apparmor profile are best
pulled in via the <tunables/global> include.

Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
---
 libcontainer/apparmor/setup.go | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/libcontainer/apparmor/setup.go b/libcontainer/apparmor/setup.go
index d9deec4..4c66459 100644
--- a/libcontainer/apparmor/setup.go
+++ b/libcontainer/apparmor/setup.go
@@ -11,13 +11,8 @@ import (
 const DefaultProfilePath = "/etc/apparmor.d/docker"
 const DefaultProfile = `
 # AppArmor profile from lxc for containers.
-@{HOME}=@{HOMEDIRS}/*/ /root/
-@{HOMEDIRS}=/home/
-#@{HOMEDIRS}+=
-@{multiarch}=*-linux-gnu*
-@{PROC}=/proc/
-@{pid}=self
 
+#include <tunables/global>
 profile docker-default flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
   network,