From 2af7f63173e0af35db67c2dbc97759ac022d39bd Mon Sep 17 00:00:00 2001
From: Michael Crosby <crosbymichael@gmail.com>
Date: Thu, 30 Jul 2015 10:26:45 -0700
Subject: [PATCH] Don't mount /proc as ro

This caused a regression with LSM labeling.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit bfc51cf6605ebcf7a4ec791fb0f3b5ae7b05c6fd)
---
 daemon/execdriver/native/create.go      |  2 +-
 integration-cli/docker_cli_exec_test.go |  7 +++++++
 integration-cli/docker_cli_run_test.go  | 12 ++++++------
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go
index 0f0a6a12d..0732a835d 100644
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@@ -85,7 +85,7 @@ func (d *driver) createContainer(c *execdriver.Command) (*configs.Config, error)
 		}
 
 		/* These paths must be remounted as r/o */
-		container.ReadonlyPaths = append(container.ReadonlyPaths, "/proc", "/dev")
+		container.ReadonlyPaths = append(container.ReadonlyPaths, "/dev")
 	}
 
 	if err := d.setupMounts(container, c); err != nil {
diff --git a/integration-cli/docker_cli_exec_test.go b/integration-cli/docker_cli_exec_test.go
index b90e159af..8e85988f1 100644
--- a/integration-cli/docker_cli_exec_test.go
+++ b/integration-cli/docker_cli_exec_test.go
@@ -536,3 +536,10 @@ func (s *DockerSuite) TestExecWithImageUser(c *check.C) {
 		c.Fatalf("exec with user by id expected dockerio user got %s", out)
 	}
 }
+
+func (s *DockerSuite) TestExecOnReadonlyContainer(c *check.C) {
+	dockerCmd(c, "run", "-d", "--read-only", "--name", "parent", "busybox", "top")
+	if _, status := dockerCmd(c, "exec", "parent", "true"); status != 0 {
+		c.Fatalf("exec into a read-only container failed with exit status %d", status)
+	}
+}
diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
index 2c27cd9d7..d76ca95b6 100644
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -2242,7 +2242,7 @@ func (s *DockerSuite) TestRunContainerWithWritableRootfs(c *check.C) {
 func (s *DockerSuite) TestRunContainerWithReadonlyRootfs(c *check.C) {
 	testRequires(c, NativeExecDriver)
 
-	for _, f := range []string{"/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/proc/uptime", "/sys/kernel", "/dev/.dont.touch.me"} {
+	for _, f := range []string{"/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/sys/kernel", "/dev/.dont.touch.me"} {
 		testReadOnlyFile(f, c)
 	}
 }
@@ -2396,7 +2396,7 @@ func (s *DockerSuite) TestRunWriteToProcAsound(c *check.C) {
 
 func (s *DockerSuite) TestRunReadProcTimer(c *check.C) {
 	testRequires(c, NativeExecDriver)
-	out, code, err := dockerCmdWithError("run", "busybox", "cat", "/proc/timer_stats")
+	out, code, err := dockerCmdWithError(c, "run", "busybox", "cat", "/proc/timer_stats")
 	if code != 0 {
 		return
 	}
@@ -2416,7 +2416,7 @@ func (s *DockerSuite) TestRunReadProcLatency(c *check.C) {
 		c.Skip("kernel doesnt have latency_stats configured")
 		return
 	}
-	out, code, err := dockerCmdWithError("run", "busybox", "cat", "/proc/latency_stats")
+	out, code, err := dockerCmdWithError(c, "run", "busybox", "cat", "/proc/latency_stats")
 	if code != 0 {
 		return
 	}
@@ -2440,7 +2440,7 @@ func (s *DockerSuite) TestRunReadFilteredProc(c *check.C) {
 		name := fmt.Sprintf("procsieve-%d", i)
 		shellCmd := fmt.Sprintf("exec 3<%s", filePath)
 
-		if out, exitCode, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd); err == nil || exitCode == 0 {
+		if out, exitCode, err := dockerCmdWithError(c, "run", "--privileged", "--security-opt", "apparmor:docker-default", "--name", name, "busybox", "sh", "-c", shellCmd); err == nil || exitCode == 0 {
 			c.Fatalf("Open FD for read should have failed with permission denied, got: %s, %v", out, err)
 		}
 	}
@@ -2753,7 +2753,7 @@ func (s *DockerSuite) TestAppArmorDeniesPtrace(c *check.C) {
 
 	// Run through 'sh' so we are NOT pid 1. Pid 1 may be able to trace
 	// itself, but pid>1 should not be able to trace pid1.
-	_, exitCode, _ := dockerCmdWithError("run", "busybox", "sh", "-c", "readlink /proc/1/ns/net")
+	_, exitCode, _ := dockerCmdWithError(c, "run", "busybox", "sh", "-c", "readlink /proc/1/ns/net")
 	if exitCode == 0 {
 		c.Fatal("ptrace was not successfully restricted by AppArmor")
 	}
@@ -2763,7 +2763,7 @@ func (s *DockerSuite) TestAppArmorTraceSelf(c *check.C) {
 	testRequires(c, SameHostDaemon)
 	testRequires(c, Apparmor)
 
-	_, exitCode, _ := dockerCmdWithError("run", "busybox", "readlink", "/proc/1/ns/net")
+	_, exitCode, _ := dockerCmdWithError(c, "run", "busybox", "readlink", "/proc/1/ns/net")
 	if exitCode != 0 {
 		c.Fatal("ptrace of self failed.")
 	}