[lxc-devel] [lxd/master] drop useless apparmor denies
tych0 on Github
lxc-bot at linuxcontainers.org
Tue Oct 3 05:03:44 UTC 2017
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 487 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20171003/e249805f/attachment.bin>
-------------- next part --------------
From d9bec3c1e4430caa025f91bd32908a0b9ce46375 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho at tycho.ws>
Date: Mon, 2 Oct 2017 16:53:57 -0600
Subject: [PATCH] drop useless apparmor denies
mem and kmem are really in /dev, and they're not propagated into lxd
containers, privileged or otherwise anyways, so these are useless.
Signed-off-by: Tycho Andersen <tycho at tycho.ws>
---
lxd/apparmor.go | 2 --
1 file changed, 2 deletions(-)
diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index f2920f421..9c018491d 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -80,8 +80,6 @@ const AA_PROFILE_BASE = `
# block some other dangerous paths
deny @{PROC}/kcore rwklx,
- deny @{PROC}/kmem rwklx,
- deny @{PROC}/mem rwklx,
deny @{PROC}/sysrq-trigger rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
More information about the lxc-devel
mailing list