[lxc-devel] [lxc/master] prevent containers from reading /sys/kernel/debug

hallyn on Github lxc-bot at linuxcontainers.org
Tue Mar 8 03:12:38 UTC 2016


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 546 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160308/4889844b/attachment.bin>
-------------- next part --------------
From 537188a8eefd6df82995e71f453fce4d6622b110 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Mon, 7 Mar 2016 19:10:58 -0800
Subject: [PATCH] prevent containers from reading /sys/kernel/debug

Unprivileged containers cannot read it anyway, but also prevent root
owned containers from doing so.  Sadly upstart's mountall won't run
if we try to prevent it from being mounted at all.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 config/apparmor/abstractions/container-base    | 3 +++
 config/apparmor/abstractions/container-base.in | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 6e924db..61b24eb 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,6 +93,9 @@
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
 
+  # deny reads from debugfs
+  deny /sys/kernel/debug/{,**} rwklx,
+
   # generated by: lxc-generate-aa-rules.py container-rules.base
   deny /proc/sys/[^kn]*{,/**} wklx,
   deny /proc/sys/k[^e]*{,/**} wklx,
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 2237a47..51fb5d4 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -93,3 +93,6 @@
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
 
+  # deny reads from debugfs
+  deny /sys/kernel/debug/{,**} rwklx,
+


More information about the lxc-devel mailing list