apparmor: Block access to /proc/kcore

Just like we block access to mem and kmem, there's no good reason for the container to have access to kcore. Reported-by: Marc Schaefer Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

apparmor: Block access to /proc/kcore
98b74549 · Stéphane Graber · abf117c3 · 98b74549 · 98b74549
Commit 98b74549 authored Dec 28, 2014 by Stéphane Graber
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 4 deletions

container-base config/apparmor/abstractions/container-base +3 -2

container-base.in config/apparmor/abstractions/container-base.in +3 -2

No files found.
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -70,9 +70,10 @@
  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
  # block some other dangerous paths
-  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/kcore rwklx,
-  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/sysrq-trigger rwklx,
  # deny writes in /sys except for /sys/fs/cgroup, also allow
  # fusectl, securityfs and debugfs to be mounted there (read-only)

--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -70,9 +70,10 @@
  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
  # block some other dangerous paths
-  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/kcore rwklx,
-  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/sysrq-trigger rwklx,
  # deny writes in /sys except for /sys/fs/cgroup, also allow
  # fusectl, securityfs and debugfs to be mounted there (read-only)