drop useless apparmor denies

mem and kmem are really in /dev, so this does us no good.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 70aa45b1f1456332c2aa646893322aeb204e6567..94cc7d590d774c5bf485714e131351e336dbfe63 100644 (file)
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -76,8 +76,6 @@
 
   # block some other dangerous paths
   deny @{PROC}/kcore rwklx,
-  deny @{PROC}/kmem rwklx,
-  deny @{PROC}/mem rwklx,
   deny @{PROC}/sysrq-trigger rwklx,
 
   # deny writes in /sys except for /sys/fs/cgroup, also allow

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 09deeb511c47068d9e157d08eb0f5780f857bea7..37960c401fd3f6f30bccd6218c70c24265f451c0 100644 (file)
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -76,8 +76,6 @@
 
   # block some other dangerous paths
   deny @{PROC}/kcore rwklx,
-  deny @{PROC}/kmem rwklx,
-  deny @{PROC}/mem rwklx,
   deny @{PROC}/sysrq-trigger rwklx,
 
   # deny writes in /sys except for /sys/fs/cgroup, also allow

diff --git a/src/tests/aa.c b/src/tests/aa.c
index 1ab1997232c4fcf5cade0ea33a4e863054ad026b..f21b2b70ebaeaea598c1b3b5cc816ecb7867486a 100644 (file)
--- a/src/tests/aa.c
+++ b/src/tests/aa.c
@@ -105,7 +105,7 @@ char *files_to_allow[] = { "/sys/class/net/lo/ifalias",
                "/proc/sys/kernel/shmmax",
                NULL };
 
-char *files_to_deny[] = { "/proc/mem", "/proc/kmem",
+char *files_to_deny[] = {
                "/sys/kernel/uevent_helper",
                "/proc/sys/fs/file-nr",
                "/sys/kernel/mm/ksm/pages_to_scan",