The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3169
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Same as #3117.
Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
From 95ad620e0c246f7bff395d4ce261ba96d6a52c18 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumil...@proxmox.com>
Date: Wed, 23 Oct 2019 10:53:21 +0200
Subject: [PATCH] apparmor: Prevent writes to /proc/acpi/**
Same as #3117.
Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
---
src/lxc/lsm/apparmor.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index e32b125319..b8d446b5c2 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -121,6 +121,7 @@ static const char AA_PROFILE_BASE[] =
" # block some other dangerous paths\n"
" deny @{PROC}/kcore rwklx,\n"
" deny @{PROC}/sysrq-trigger rwklx,\n"
+" deny @{PROC}/acpi/** rwklx,\n"
"\n"
" # deny writes in /sys except for /sys/fs/cgroup, also allow\n"
" # fusectl, securityfs and debugfs to be mounted there (read-only)\n"
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
