The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3117
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Would close #3115
From 84597151581f798d74322cdcf5fcc4b1d0fc0948 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pierre-Elliott=20B=C3=A9cue?= <be...@crans.org>
Date: Sat, 10 Aug 2019 22:07:42 +0200
Subject: [PATCH] [aa-profile] Deny access to /proc/acpi/**
---
config/apparmor/abstractions/container-base.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/config/apparmor/abstractions/container-base.in
b/config/apparmor/abstractions/container-base.in
index 1a3ead89ad..2606fb64c6 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -73,6 +73,7 @@
# block some other dangerous paths
deny @{PROC}/kcore rwklx,
deny @{PROC}/sysrq-trigger rwklx,
+ deny @{PROC}/acpi/** rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
