[lxc-devel] [PATCH] apparmor: Block access to /proc/kcore
Stéphane Graber
stgraber at ubuntu.com
Sun Dec 28 17:33:29 UTC 2014
Just like we block access to mem and kmem, there's no good reason for
the container to have access to kcore.
Reported-by: Marc Schaefer
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
config/apparmor/abstractions/container-base | 5 +++--
config/apparmor/abstractions/container-base.in | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 2d5fd7a..ac8d4e9 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -70,9 +70,10 @@
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
- deny @{PROC}/sysrq-trigger rwklx,
- deny @{PROC}/mem rwklx,
+ deny @{PROC}/kcore rwklx,
deny @{PROC}/kmem rwklx,
+ deny @{PROC}/mem rwklx,
+ deny @{PROC}/sysrq-trigger rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 2065735..235913b 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -70,9 +70,10 @@
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
- deny @{PROC}/sysrq-trigger rwklx,
- deny @{PROC}/mem rwklx,
+ deny @{PROC}/kcore rwklx,
deny @{PROC}/kmem rwklx,
+ deny @{PROC}/mem rwklx,
+ deny @{PROC}/sysrq-trigger rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
--
1.9.1
More information about the lxc-devel
mailing list