Merge pull request from GHSA-jq35-85cj-fj4p

[24.0 backport] deny /sys/devices/virtual/powercap
This commit is contained in:
Sebastiaan van Stijn 2023-10-25 23:57:51 +02:00 committed by GitHub
commit af608045ee
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 0 deletions

View file

@ -113,6 +113,7 @@ func DefaultLinuxSpec() specs.Spec {
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware",
"/sys/devices/virtual/powercap",
},
ReadonlyPaths: []string{
"/proc/bus",

View file

@ -47,6 +47,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/** rwklx,
deny /sys/devices/virtual/powercap/** rwklx,
deny /sys/kernel/security/** rwklx,
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container