Merge pull request #897 from hallyn/2016-03-16/aa

Prevent access to pci devices

Merge pull request #897 from hallyn/2016-03-16/aa
e97069ad · Christian Brauner · b3e4df8a · 4845c17a · e97069ad · e97069ad
Commit e97069ad authored Mar 16, 2016 by Christian Brauner
Showing with 7 additions and 1 deletion

container-base config/apparmor/abstractions/container-base +3 -0

container-base.in config/apparmor/abstractions/container-base.in +3 -0

common.conf.in config/templates/common.conf.in +1 -1

No files found.
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -66,6 +66,9 @@
  mount options=(rw, bind) /run/ -> /var/run/,
  mount options=(rw, bind) /run/lock/ -> /var/lock/,
+  # deny access under /proc/bus to avoid e.g. messing with pci devices directly
+  deny @{PROC}/bus/** wklx,
  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  deny @{PROC}/sys/fs/** wklx,

--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -66,6 +66,9 @@
  mount options=(rw, bind) /run/ -> /var/run/,
  mount options=(rw, bind) /run/lock/ -> /var/lock/,
+  # deny access under /proc/bus to avoid e.g. messing with pci devices directly
+  deny @{PROC}/bus/** wklx,
  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  deny @{PROC}/sys/fs/** wklx,

--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -10,7 +10,7 @@ lxc.pts = 1024
 lxc.tty = 4
 # Drop some harmful capabilities
-lxc.cap.drop = mac_admin mac_override sys_time sys_module
+lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
 # Set the pivot directory
 lxc.pivotdir = lxc_putold