From 4845c17aff570c25e05c5347dfdcd577cb108d47 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Wed, 16 Mar 2016 14:48:49 -0700
Subject: [PATCH] Prevent access to pci devices

Prevent privileged containers from messing with the host's pci devices
directly.  Refuse access under /proc/bus, and drop cap_sys_rawio.  Some
containers may need to re-enable cap_sys_rawio (i.e. if they run an
X server).

It may be desirable to break some of this stuff into files which can be
separately included (or not included), but this patch isn't the right
place for that.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
 config/apparmor/abstractions/container-base    | 3 +++
 config/apparmor/abstractions/container-base.in | 3 +++
 config/templates/common.conf.in                | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 61b24eb2a..c9f5947c1 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -66,6 +66,9 @@
   mount options=(rw, bind) /run/ -> /var/run/,
   mount options=(rw, bind) /run/lock/ -> /var/lock/,
 
+  # deny access under /proc/bus to avoid e.g. messing with pci devices directly
+  deny @{PROC}/bus/** wklx,
+
   # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
   mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
   deny @{PROC}/sys/fs/** wklx,
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 51fb5d461..4cd409de8 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -66,6 +66,9 @@
   mount options=(rw, bind) /run/ -> /var/run/,
   mount options=(rw, bind) /run/lock/ -> /var/lock/,
 
+  # deny access under /proc/bus to avoid e.g. messing with pci devices directly
+  deny @{PROC}/bus/** wklx,
+
   # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
   mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
   deny @{PROC}/sys/fs/** wklx,
diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
index 80f31ced0..c1deadec1 100644
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -10,7 +10,7 @@ lxc.pts = 1024
 lxc.tty = 4
 
 # Drop some harmful capabilities
-lxc.cap.drop = mac_admin mac_override sys_time sys_module
+lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
 
 # Set the pivot directory
 lxc.pivotdir = lxc_putold
-- 
2.47.2