From 95ad620e0c246f7bff395d4ce261ba96d6a52c18 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 23 Oct 2019 10:53:21 +0200
Subject: [PATCH] apparmor: Prevent writes to /proc/acpi/**

Same as #3117.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/lxc/lsm/apparmor.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index e32b12531..b8d446b5c 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -121,6 +121,7 @@ static const char AA_PROFILE_BASE[] =
 "  # block some other dangerous paths\n"
 "  deny @{PROC}/kcore rwklx,\n"
 "  deny @{PROC}/sysrq-trigger rwklx,\n"
+"  deny @{PROC}/acpi/** rwklx,\n"
 "\n"
 "  # deny writes in /sys except for /sys/fs/cgroup, also allow\n"
 "  # fusectl, securityfs and debugfs to be mounted there (read-only)\n"
-- 
2.47.2