[lxc-devel] [lxc/master] apparmor: Prevent writes to /proc/acpi/**

Blub on Github lxc-bot at linuxcontainers.org
Wed Oct 23 08:54:08 UTC 2019


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 376 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191023/e3807342/attachment.bin>
-------------- next part --------------
From 95ad620e0c246f7bff395d4ce261ba96d6a52c18 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller at proxmox.com>
Date: Wed, 23 Oct 2019 10:53:21 +0200
Subject: [PATCH] apparmor: Prevent writes to /proc/acpi/**

Same as #3117.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 src/lxc/lsm/apparmor.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index e32b125319..b8d446b5c2 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -121,6 +121,7 @@ static const char AA_PROFILE_BASE[] =
 "  # block some other dangerous paths\n"
 "  deny @{PROC}/kcore rwklx,\n"
 "  deny @{PROC}/sysrq-trigger rwklx,\n"
+"  deny @{PROC}/acpi/** rwklx,\n"
 "\n"
 "  # deny writes in /sys except for /sys/fs/cgroup, also allow\n"
 "  # fusectl, securityfs and debugfs to be mounted there (read-only)\n"


More information about the lxc-devel mailing list