apparmor: allow writes to sem* and msg* sysctls

/proc/sys/kernel/sem* and /proc/sys/kernel/msg* are ipc sysctls which are properly namespaced. Allow writes to them from containers. Reported-by: Dan Kegel <dank@kegel.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: allow writes to sem* and msg* sysctls
1a255d79 · Serge Hallyn · Stéphane Graber · 28b939d6 · 1a255d79 · 1a255d79
Commit 1a255d79 authored Apr 29, 2014 by Serge Hallyn Committed by Stéphane Graber Apr 30, 2014
Showing with 16 additions and 4 deletions

container-base config/apparmor/abstractions/container-base +7 -2

container-rules config/apparmor/container-rules +7 -2

container-rules.base config/apparmor/container-rules.base +2 -0

No files found.
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -55,7 +55,7 @@
  deny /proc/sys/ker[^n]*{,/**} wklx,
  deny /proc/sys/kern[^e]*{,/**} wklx,
  deny /proc/sys/kerne[^l]*{,/**} wklx,
-  deny /proc/sys/kernel/[^shd]*{,/**} wklx,
+  deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
@@ -74,7 +74,12 @@
  deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
  deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
  deny /proc/sys/kernel/hostname?*{,/**} wklx,
-  deny /proc/sys/kernel/s[^h]*{,/**} wklx,
+  deny /proc/sys/kernel/m[^s]*{,/**} wklx,
+  deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
+  deny /proc/sys/kernel/msg*/** wklx,
+  deny /proc/sys/kernel/s[^he]*{,/**} wklx,
+  deny /proc/sys/kernel/se[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/sem*/** wklx,
  deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
  deny /proc/sys/kernel/shm*/** wklx,
  deny /proc/sys/kernel?*{,/**} wklx,

--- a/config/apparmor/container-rules
+++ b/config/apparmor/container-rules
@@ -5,7 +5,7 @@
  deny /proc/sys/ker[^n]*{,/**} wklx,
  deny /proc/sys/kern[^e]*{,/**} wklx,
  deny /proc/sys/kerne[^l]*{,/**} wklx,
-  deny /proc/sys/kernel/[^shd]*{,/**} wklx,
+  deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
@@ -24,7 +24,12 @@
  deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
  deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
  deny /proc/sys/kernel/hostname?*{,/**} wklx,
-  deny /proc/sys/kernel/s[^h]*{,/**} wklx,
+  deny /proc/sys/kernel/m[^s]*{,/**} wklx,
+  deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
+  deny /proc/sys/kernel/msg*/** wklx,
+  deny /proc/sys/kernel/s[^he]*{,/**} wklx,
+  deny /proc/sys/kernel/se[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/sem*/** wklx,
  deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
  deny /proc/sys/kernel/shm*/** wklx,
  deny /proc/sys/kernel?*{,/**} wklx,

--- a/config/apparmor/container-rules.base
+++ b/config/apparmor/container-rules.base
@@ -8,6 +8,8 @@ allow /sys/devices/virtual/net/**
 allow /sys/class/net/**
 block /proc/sys
 allow /proc/sys/kernel/shm*
+allow /proc/sys/kernel/sem*
+allow /proc/sys/kernel/msg*
 allow /proc/sys/kernel/hostname
 allow /proc/sys/kernel/domainname
 allow /proc/sys/net/**