[lxc-devel] [PATCH] apparmor: Block access to /proc/kcore
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Jan 5 12:43:04 UTC 2015
Quoting Stéphane Graber (stgraber at ubuntu.com):
> Just like we block access to mem and kmem, there's no good reason for
> the container to have access to kcore.
>
> Reported-by: Marc Schaefer
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> config/apparmor/abstractions/container-base | 5 +++--
> config/apparmor/abstractions/container-base.in | 5 +++--
> 2 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
> index 2d5fd7a..ac8d4e9 100644
> --- a/config/apparmor/abstractions/container-base
> +++ b/config/apparmor/abstractions/container-base
> @@ -70,9 +70,10 @@
> mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
>
> # block some other dangerous paths
> - deny @{PROC}/sysrq-trigger rwklx,
> - deny @{PROC}/mem rwklx,
> + deny @{PROC}/kcore rwklx,
> deny @{PROC}/kmem rwklx,
> + deny @{PROC}/mem rwklx,
> + deny @{PROC}/sysrq-trigger rwklx,
>
> # deny writes in /sys except for /sys/fs/cgroup, also allow
> # fusectl, securityfs and debugfs to be mounted there (read-only)
> diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
> index 2065735..235913b 100644
> --- a/config/apparmor/abstractions/container-base.in
> +++ b/config/apparmor/abstractions/container-base.in
> @@ -70,9 +70,10 @@
> mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
>
> # block some other dangerous paths
> - deny @{PROC}/sysrq-trigger rwklx,
> - deny @{PROC}/mem rwklx,
> + deny @{PROC}/kcore rwklx,
> deny @{PROC}/kmem rwklx,
> + deny @{PROC}/mem rwklx,
> + deny @{PROC}/sysrq-trigger rwklx,
>
> # deny writes in /sys except for /sys/fs/cgroup, also allow
> # fusectl, securityfs and debugfs to be mounted there (read-only)
> --
> 1.9.1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list