apparmor: Prevent writes to /proc/acpi/**

author Wolfgang Bumiller <w.bumiller@proxmox.com>

Wed, 23 Oct 2019 08:53:21 +0000 (10:53 +0200)

committer Wolfgang Bumiller <w.bumiller@proxmox.com>

Wed, 23 Oct 2019 08:53:21 +0000 (10:53 +0200)
author Wolfgang Bumiller <w.bumiller@proxmox.com>
Wed, 23 Oct 2019 08:53:21 +0000 (10:53 +0200)
committer Wolfgang Bumiller <w.bumiller@proxmox.com>
Wed, 23 Oct 2019 08:53:21 +0000 (10:53 +0200)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c

index e32b12531956ae0958fce4e26164aa71869ca0c4..b8d446b5c2f5f27fc02b3780b6199c50145fc366 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -121,6 +121,7 @@ static const char AA_PROFILE_BASE[] =
  "  # block some other dangerous paths\n"
  "  deny @{PROC}/kcore rwklx,\n"
  "  deny @{PROC}/sysrq-trigger rwklx,\n"
+"  deny @{PROC}/acpi/** rwklx,\n"
  "\n"
  "  # deny writes in /sys except for /sys/fs/cgroup, also allow\n"
  "  # fusectl, securityfs and debugfs to be mounted there (read-only)\n"
author	Wolfgang Bumiller <w.bumiller@proxmox.com>
	Wed, 23 Oct 2019 08:53:21 +0000 (10:53 +0200)
committer	Wolfgang Bumiller <w.bumiller@proxmox.com>
	Wed, 23 Oct 2019 08:53:21 +0000 (10:53 +0200)