From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Tue, 8 Mar 2016 03:10:58 +0000 (-0800)
Subject: prevent containers from reading /sys/kernel/debug
X-Git-Tag: lxc-2.0.0.rc8~5^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F879%2Fhead;p=thirdparty%2Flxc.git

prevent containers from reading /sys/kernel/debug

Unprivileged containers cannot read it anyway, but also prevent root
owned containers from doing so.  Sadly upstart's mountall won't run
if we try to prevent it from being mounted at all.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 6e924dbee..61b24eb2a 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,6 +93,9 @@
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
 
+  # deny reads from debugfs
+  deny /sys/kernel/debug/{,**} rwklx,
+
   # generated by: lxc-generate-aa-rules.py container-rules.base
   deny /proc/sys/[^kn]*{,/**} wklx,
   deny /proc/sys/k[^e]*{,/**} wklx,
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 2237a477c..51fb5d461 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -93,3 +93,6 @@
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
 
+  # deny reads from debugfs
+  deny /sys/kernel/debug/{,**} rwklx,
+