apparmor: Prevent writes to /proc/acpi/**

Same as #3117. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

apparmor: Prevent writes to /proc/acpi/**
95ad620e · Wolfgang Bumiller · 344b8ee2 · 95ad620e
Commit 95ad620e authored Oct 23, 2019 by Wolfgang Bumiller
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

apparmor.c src/lxc/lsm/apparmor.c +1 -0

No files found.
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -121,6 +121,7 @@ static const char AA_PROFILE_BASE[] =
 "  # block some other dangerous paths\n"
 "  deny @{PROC}/kcore rwklx,\n"
 "  deny @{PROC}/sysrq-trigger rwklx,\n"
+"  deny @{PROC}/acpi/** rwklx,\n"
 "\n"
 "  # deny writes in /sys except for /sys/fs/cgroup, also allow\n"
 "  # fusectl, securityfs and debugfs to be mounted there (read-only)\n"