prevent containers from reading /sys/kernel/debug

Unprivileged containers cannot read it anyway, but also prevent root owned containers from doing so. Sadly upstart's mountall won't run if we try to prevent it from being mounted at all. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

prevent containers from reading /sys/kernel/debug
537188a8 · Serge Hallyn · 21548661 · 537188a8 · 537188a8
Commit 537188a8 authored Mar 07, 2016 by Serge Hallyn
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

container-base config/apparmor/abstractions/container-base +3 -0

container-base.in config/apparmor/abstractions/container-base.in +3 -0

No files found.
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,6 +93,9 @@
  mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
  mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
+  # deny reads from debugfs
+  deny /sys/kernel/debug/{,**} rwklx,
  # generated by: lxc-generate-aa-rules.py container-rules.base
  deny /proc/sys/[^kn]*{,/**} wklx,
  deny /proc/sys/k[^e]*{,/**} wklx,

--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -93,3 +93,6 @@
  mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
  mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
+  # deny reads from debugfs
+  deny /sys/kernel/debug/{,**} rwklx,