apparmor: Block access to /proc/kcore

Just like we block access to mem and kmem, there's no good reason for
the container to have access to kcore.

Reported-by: Marc Schaefer
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 2d5fd7aa0ac8dafb16257ebe276429618ea0034c..ac8d4e993fd87cf06897733803ab2f10e22aa821 100644 (file)
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -70,9 +70,10 @@
   mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
 
   # block some other dangerous paths
-  deny @{PROC}/sysrq-trigger rwklx,
-  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kcore rwklx,
   deny @{PROC}/kmem rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/sysrq-trigger rwklx,
 
   # deny writes in /sys except for /sys/fs/cgroup, also allow
   # fusectl, securityfs and debugfs to be mounted there (read-only)

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 20657353b2725f4b8d049d5e8af1b2e09beb62ae..235913b52763844e075da16645af5ad1ce871afb 100644 (file)
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -70,9 +70,10 @@
   mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
 
   # block some other dangerous paths
-  deny @{PROC}/sysrq-trigger rwklx,
-  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kcore rwklx,
   deny @{PROC}/kmem rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/sysrq-trigger rwklx,
 
   # deny writes in /sys except for /sys/fs/cgroup, also allow
   # fusectl, securityfs and debugfs to be mounted there (read-only)