[lxc-devel] [lxc/master] prevent containers from reading /sys/kernel/debug

Mon, 07 Mar 2016 19:13:17 -0800 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/879

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Unprivileged containers cannot read it anyway, but also prevent root
owned containers from doing so.  Sadly upstart's mountall won't run
if we try to prevent it from being mounted at all.

Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>

From 537188a8eefd6df82995e71f453fce4d6622b110 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hal...@ubuntu.com>
Date: Mon, 7 Mar 2016 19:10:58 -0800
Subject: [PATCH] prevent containers from reading /sys/kernel/debug

Unprivileged containers cannot read it anyway, but also prevent root
owned containers from doing so.  Sadly upstart's mountall won't run
if we try to prevent it from being mounted at all.

Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
---
 config/apparmor/abstractions/container-base    | 3 +++
 config/apparmor/abstractions/container-base.in | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/config/apparmor/abstractions/container-base 
b/config/apparmor/abstractions/container-base
index 6e924db..61b24eb 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,6 +93,9 @@
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> 
/sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> 
/sys/fs/cgroup/,
 
+  # deny reads from debugfs
+  deny /sys/kernel/debug/{,**} rwklx,
+
   # generated by: lxc-generate-aa-rules.py container-rules.base
   deny /proc/sys/[^kn]*{,/**} wklx,
   deny /proc/sys/k[^e]*{,/**} wklx,
diff --git a/config/apparmor/abstractions/container-base.in 
b/config/apparmor/abstractions/container-base.in
index 2237a47..51fb5d4 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -93,3 +93,6 @@
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> 
/sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> 
/sys/fs/cgroup/,
 
+  # deny reads from debugfs
+  deny /sys/kernel/debug/{,**} rwklx,
+

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to