Commit 98b74549 by Stéphane Graber

apparmor: Block access to /proc/kcore

Just like we block access to mem and kmem, there's no good reason for the container to have access to kcore. Reported-by: Marc Schaefer Signed-off-by: 's avatarStéphane Graber <stgraber@ubuntu.com> Acked-by: 's avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
parent abf117c3
...@@ -70,9 +70,10 @@ ...@@ -70,9 +70,10 @@
mount fstype=efivarfs -> /sys/firmware/efi/efivars/, mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths # block some other dangerous paths
deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/kcore rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx, deny @{PROC}/kmem rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/sysrq-trigger rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow # deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only) # fusectl, securityfs and debugfs to be mounted there (read-only)
......
...@@ -70,9 +70,10 @@ ...@@ -70,9 +70,10 @@
mount fstype=efivarfs -> /sys/firmware/efi/efivars/, mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths # block some other dangerous paths
deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/kcore rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx, deny @{PROC}/kmem rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/sysrq-trigger rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow # deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only) # fusectl, securityfs and debugfs to be mounted there (read-only)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment