From 18103c35ed986957d1ae90f939501b0c0f2e65aa Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho@tycho.ws>
Date: Mon, 2 Oct 2017 23:00:21 -0600
Subject: [PATCH] drop useless apparmor denies

mem and kmem are really in /dev, so this does us no good.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
---
 config/apparmor/abstractions/container-base    | 2 --
 config/apparmor/abstractions/container-base.in | 2 --
 src/tests/aa.c                                 | 2 +-
 3 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 06290de2c..a5e6c35f6 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -72,8 +72,6 @@
 
   # block some other dangerous paths
   deny @{PROC}/kcore rwklx,
-  deny @{PROC}/kmem rwklx,
-  deny @{PROC}/mem rwklx,
   deny @{PROC}/sysrq-trigger rwklx,
 
   # deny writes in /sys except for /sys/fs/cgroup, also allow
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 5bc9b28bf..16529bbf0 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -72,8 +72,6 @@
 
   # block some other dangerous paths
   deny @{PROC}/kcore rwklx,
-  deny @{PROC}/kmem rwklx,
-  deny @{PROC}/mem rwklx,
   deny @{PROC}/sysrq-trigger rwklx,
 
   # deny writes in /sys except for /sys/fs/cgroup, also allow
diff --git a/src/tests/aa.c b/src/tests/aa.c
index 1ab199723..f21b2b70e 100644
--- a/src/tests/aa.c
+++ b/src/tests/aa.c
@@ -105,7 +105,7 @@ char *files_to_allow[] = { "/sys/class/net/lo/ifalias",
 		"/proc/sys/kernel/shmmax",
 		NULL };
 
-char *files_to_deny[] = { "/proc/mem", "/proc/kmem",
+char *files_to_deny[] = {
 		"/sys/kernel/uevent_helper",
 		"/proc/sys/fs/file-nr",
 		"/sys/kernel/mm/ksm/pages_to_scan",
-- 
2.47.2