[lxc-devel] [lxc/master] apparmor: Prevent writes to /proc/acpi/**
Blub on Github
lxc-bot at linuxcontainers.org
Wed Oct 23 08:54:08 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 376 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191023/e3807342/attachment.bin>
-------------- next part --------------
From 95ad620e0c246f7bff395d4ce261ba96d6a52c18 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller at proxmox.com>
Date: Wed, 23 Oct 2019 10:53:21 +0200
Subject: [PATCH] apparmor: Prevent writes to /proc/acpi/**
Same as #3117.
Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
src/lxc/lsm/apparmor.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index e32b125319..b8d446b5c2 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -121,6 +121,7 @@ static const char AA_PROFILE_BASE[] =
" # block some other dangerous paths\n"
" deny @{PROC}/kcore rwklx,\n"
" deny @{PROC}/sysrq-trigger rwklx,\n"
+" deny @{PROC}/acpi/** rwklx,\n"
"\n"
" # deny writes in /sys except for /sys/fs/cgroup, also allow\n"
" # fusectl, securityfs and debugfs to be mounted there (read-only)\n"
More information about the lxc-devel
mailing list