prevent containers from reading /sys/kernel/debug

Unprivileged containers cannot read it anyway, but also prevent root
owned containers from doing so.  Sadly upstart's mountall won't run
if we try to prevent it from being mounted at all.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 6e924dbee4cd4a47667ede9fee66a3eb15eac788..61b24eb2ac200c5e19745432647ab5be580f54d5 100644 (file)
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,6 +93,9 @@
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
 
+  # deny reads from debugfs
+  deny /sys/kernel/debug/{,**} rwklx,
+
   # generated by: lxc-generate-aa-rules.py container-rules.base
   deny /proc/sys/[^kn]*{,/**} wklx,
   deny /proc/sys/k[^e]*{,/**} wklx,

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 2237a477cadcc599b449da490c83a4a9dc7986c2..51fb5d461dd21f9b7c94c9d18bd5db550375e0a5 100644 (file)
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -93,3 +93,6 @@
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
 
+  # deny reads from debugfs
+  deny /sys/kernel/debug/{,**} rwklx,
+