Just like we block access to mem and kmem, there's no good reason for the container to have access to kcore.
Reported-by: Marc Schaefer Signed-off-by: Stéphane Graber <[email protected]> --- config/apparmor/abstractions/container-base | 5 +++-- config/apparmor/abstractions/container-base.in | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base index 2d5fd7a..ac8d4e9 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -70,9 +70,10 @@ mount fstype=efivarfs -> /sys/firmware/efi/efivars/, # block some other dangerous paths - deny @{PROC}/sysrq-trigger rwklx, - deny @{PROC}/mem rwklx, + deny @{PROC}/kcore rwklx, deny @{PROC}/kmem rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/sysrq-trigger rwklx, # deny writes in /sys except for /sys/fs/cgroup, also allow # fusectl, securityfs and debugfs to be mounted there (read-only) diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 2065735..235913b 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -70,9 +70,10 @@ mount fstype=efivarfs -> /sys/firmware/efi/efivars/, # block some other dangerous paths - deny @{PROC}/sysrq-trigger rwklx, - deny @{PROC}/mem rwklx, + deny @{PROC}/kcore rwklx, deny @{PROC}/kmem rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/sysrq-trigger rwklx, # deny writes in /sys except for /sys/fs/cgroup, also allow # fusectl, securityfs and debugfs to be mounted there (read-only) -- 1.9.1 _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
