From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 23 Oct 2019 08:53:21 +0000 (+0200)
Subject: apparmor: Prevent writes to /proc/acpi/**
X-Git-Tag: lxc-4.0.0~103^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3169%2Fhead;p=thirdparty%2Flxc.git

apparmor: Prevent writes to /proc/acpi/**

Same as #3117.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index e32b12531..b8d446b5c 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -121,6 +121,7 @@ static const char AA_PROFILE_BASE[] =
 "  # block some other dangerous paths\n"
 "  deny @{PROC}/kcore rwklx,\n"
 "  deny @{PROC}/sysrq-trigger rwklx,\n"
+"  deny @{PROC}/acpi/** rwklx,\n"
 "\n"
 "  # deny writes in /sys except for /sys/fs/cgroup, also allow\n"
 "  # fusectl, securityfs and debugfs to be mounted there (read-only)\n"