From ec90f35b4cfdd9a22e518b7e7801c8fbd55b2f99 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Pierre-Elliott=20B=C3=A9cue?= <becue@crans.org>
Date: Sat, 10 Aug 2019 22:07:42 +0200
Subject: [PATCH] [aa-profile] Deny access to /proc/acpi/**
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Pierre-Elliott Bécue <becue@crans.org>
---
 config/apparmor/abstractions/container-base.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 1a3ead89a..2606fb64c 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -73,6 +73,7 @@
   # block some other dangerous paths
   deny @{PROC}/kcore rwklx,
   deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/acpi/** rwklx,
 
   # deny writes in /sys except for /sys/fs/cgroup, also allow
   # fusectl, securityfs and debugfs to be mounted there (read-only)
-- 
2.47.2