From: Stéphane Graber <stgraber@ubuntu.com>
Date: Sun, 28 Dec 2014 17:33:29 +0000 (+0100)
Subject: apparmor: Block access to /proc/kcore
X-Git-Tag: lxc-1.1.0.rc1~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98b745498bf97637f68311f944903777f3ee1e67;p=thirdparty%2Flxc.git

apparmor: Block access to /proc/kcore

Just like we block access to mem and kmem, there's no good reason for
the container to have access to kcore.

Reported-by: Marc Schaefer
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 2d5fd7aa0..ac8d4e993 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -70,9 +70,10 @@
   mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
 
   # block some other dangerous paths
-  deny @{PROC}/sysrq-trigger rwklx,
-  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kcore rwklx,
   deny @{PROC}/kmem rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/sysrq-trigger rwklx,
 
   # deny writes in /sys except for /sys/fs/cgroup, also allow
   # fusectl, securityfs and debugfs to be mounted there (read-only)
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 20657353b..235913b52 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -70,9 +70,10 @@
   mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
 
   # block some other dangerous paths
-  deny @{PROC}/sysrq-trigger rwklx,
-  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kcore rwklx,
   deny @{PROC}/kmem rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/sysrq-trigger rwklx,
 
   # deny writes in /sys except for /sys/fs/cgroup, also allow
   # fusectl, securityfs and debugfs to be mounted there (read-only)