[aa-profile] Deny access to /proc/acpi/**

Signed-off-by: Pierre-Elliott Bécue <becue@crans.org>

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 1a3ead89ad6d40753166bf1da9a2a62eb01b80b9..2606fb64c67c2f7e7829c6cc88b9fc86d329928a 100644 (file)
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -73,6 +73,7 @@
   # block some other dangerous paths
   deny @{PROC}/kcore rwklx,
   deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/acpi/** rwklx,
 
   # deny writes in /sys except for /sys/fs/cgroup, also allow
   # fusectl, securityfs and debugfs to be mounted there (read-only)