Quoting Stéphane Graber ([email protected]): > Just like we block access to mem and kmem, there's no good reason for > the container to have access to kcore. > > Reported-by: Marc Schaefer > Signed-off-by: Stéphane Graber <[email protected]>
Acked-by: Serge E. Hallyn <[email protected]> > --- > config/apparmor/abstractions/container-base | 5 +++-- > config/apparmor/abstractions/container-base.in | 5 +++-- > 2 files changed, 6 insertions(+), 4 deletions(-) > > diff --git a/config/apparmor/abstractions/container-base > b/config/apparmor/abstractions/container-base > index 2d5fd7a..ac8d4e9 100644 > --- a/config/apparmor/abstractions/container-base > +++ b/config/apparmor/abstractions/container-base > @@ -70,9 +70,10 @@ > mount fstype=efivarfs -> /sys/firmware/efi/efivars/, > > # block some other dangerous paths > - deny @{PROC}/sysrq-trigger rwklx, > - deny @{PROC}/mem rwklx, > + deny @{PROC}/kcore rwklx, > deny @{PROC}/kmem rwklx, > + deny @{PROC}/mem rwklx, > + deny @{PROC}/sysrq-trigger rwklx, > > # deny writes in /sys except for /sys/fs/cgroup, also allow > # fusectl, securityfs and debugfs to be mounted there (read-only) > diff --git a/config/apparmor/abstractions/container-base.in > b/config/apparmor/abstractions/container-base.in > index 2065735..235913b 100644 > --- a/config/apparmor/abstractions/container-base.in > +++ b/config/apparmor/abstractions/container-base.in > @@ -70,9 +70,10 @@ > mount fstype=efivarfs -> /sys/firmware/efi/efivars/, > > # block some other dangerous paths > - deny @{PROC}/sysrq-trigger rwklx, > - deny @{PROC}/mem rwklx, > + deny @{PROC}/kcore rwklx, > deny @{PROC}/kmem rwklx, > + deny @{PROC}/mem rwklx, > + deny @{PROC}/sysrq-trigger rwklx, > > # deny writes in /sys except for /sys/fs/cgroup, also allow > # fusectl, securityfs and debugfs to be mounted there (read-only) > -- > 1.9.1 > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
