Skip to content

L
lxc
Commit d551c8cb by Stéphane Graber
Options

Merge pull request #879 from hallyn/2016-03-07/debug.aa

prevent containers from reading /sys/kernel/debug
parents 21548661 537188a8
Showing with 6 additions and 0 deletions
config/apparmor/abstractions/container-base
...@@ -93,6 +93,9 @@ ...@@ -93,6 +93,9 @@
mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
# generated by: lxc-generate-aa-rules.py container-rules.base # generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx, deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx, deny /proc/sys/k[^e]*{,/**} wklx,
......
config/apparmor/abstractions/container-base.in
...@@ -93,3 +93,6 @@ ...@@ -93,3 +93,6 @@
mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment