profiles/apparmor: deny /sys/devices/virtual/powercap
While this is not strictly necessary as the default OCI config masks this path, it is possible that the user disabled path masking, passed their own list, or is using a forked (or future) daemon version that has a modified default config/allows changing the default config. Add some defense-in-depth by also masking out this problematic hardware device with the AppArmor LSM. Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
This commit is contained in:
Bjorn Neergaard
parent
83cac3c3e3
commit
bddd826d7a
1 changed files with 1 additions and 0 deletions
|
|
@ -46,6 +46,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
|||
deny /sys/fs/c[^g]*/** wklx,
|
||||
deny /sys/fs/cg[^r]*/** wklx,
|
||||
deny /sys/firmware/** rwklx,
|
||||
deny /sys/devices/virtual/powercap/** rwklx,
|
||||
deny /sys/kernel/security/** rwklx,
|
||||
|
||||
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue