[lxc-devel] [lxc/master] drop useless apparmor denies
tych0 on Github
lxc-bot at linuxcontainers.org
Tue Oct 3 05:03:47 UTC 2017
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 408 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20171003/19e19c5b/attachment.bin>
-------------- next part --------------
From 6899c860bb4535a3a8e8212a593ac9876f7c5f12 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho at tycho.ws>
Date: Mon, 2 Oct 2017 23:00:21 -0600
Subject: [PATCH] drop useless apparmor denies
mem and kmem are really in /dev, so this does us no good.
Signed-off-by: Tycho Andersen <tycho at tycho.ws>
---
config/apparmor/abstractions/container-base.in | 2 --
src/tests/aa.c | 2 +-
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 5bc9b28bf..91e9e4d0c 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -71,8 +71,6 @@
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
- deny @{PROC}/kcore rwklx,
- deny @{PROC}/kmem rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/sysrq-trigger rwklx,
diff --git a/src/tests/aa.c b/src/tests/aa.c
index c96b4666a..025ac8c9d 100644
--- a/src/tests/aa.c
+++ b/src/tests/aa.c
@@ -105,7 +105,7 @@ char *files_to_allow[] = { "/sys/class/net/lo/ifalias",
"/proc/sys/kernel/shmmax",
NULL };
-char *files_to_deny[] = { "/proc/mem", "/proc/kmem",
+char *files_to_deny[] = {
"/sys/kernel/uevent_helper",
"/proc/sys/fs/file-nr",
"/sys/kernel/mm/ksm/pages_to_scan",
More information about the lxc-devel
mailing list