We use cookies to ensure you get the best experience on our website
Inicio Explorar Axuda
Rexistro Iniciar sesión
0ct0pu5
/
moby
1
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Explorar o código

profiles/apparmor: deny /sys/devices/virtual/powercap

While this is not strictly necessary as the default OCI config masks this
path, it is possible that the user disabled path masking, passed their
own list, or is using a forked (or future) daemon version that has a
modified default config/allows changing the default config.

Add some defense-in-depth by also masking out this problematic hardware
device with the AppArmor LSM.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
Bjorn Neergaard hai 1 ano
pai
83cac3c3e3
achega
bddd826d7a
Modificáronse 1 ficheiros con 1 adicións e 0 borrados
Unificar vista Mostrar estatísticas de Diff
  1. 1 0
      profiles/apparmor/template.go

+ 1 - 0
profiles/apparmor/template.go
Ver ficheiro 

@@ -46,6 +46,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
 
   deny /sys/fs/c[^g]*/** wklx,
 
   deny /sys/fs/c[^g]*/** wklx,
 
   deny /sys/fs/cg[^r]*/** wklx,
 
   deny /sys/fs/cg[^r]*/** wklx,
 
   deny /sys/firmware/** rwklx,
 
   deny /sys/firmware/** rwklx,
 
+  deny /sys/devices/virtual/powercap/** rwklx,
 
   deny /sys/kernel/security/** rwklx,
 
   deny /sys/kernel/security/** rwklx,
 
 
 
   # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
 
   # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5