Browse code
apparmor: prohibit /sys/firmware/** from being accessed
Some firmware information including SMBIOS and ACPI tables were unexpectedly exposed
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Akihiro Suda authored on 2016/09/16 11:21:31Showing 2 changed files
| ... | ... |
@@ -59,7 +59,7 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) {
|
| 59 | 59 |
deny /sys/fs/[^c]*/** wklx, |
| 60 | 60 |
deny /sys/fs/c[^g]*/** wklx, |
| 61 | 61 |
deny /sys/fs/cg[^r]*/** wklx, |
| 62 |
- deny /sys/firmware/efi/efivars/** rwklx, |
|
| 62 |
+ deny /sys/firmware/** rwklx, |
|
| 63 | 63 |
deny /sys/kernel/security/** rwklx, |
| 64 | 64 |
} |
| 65 | 65 |
``` |
| ... | ... |
@@ -175,7 +175,7 @@ profile docker-nginx flags=(attach_disconnected,mediate_deleted) {
|
| 175 | 175 |
deny /sys/fs/[^c]*/** wklx, |
| 176 | 176 |
deny /sys/fs/c[^g]*/** wklx, |
| 177 | 177 |
deny /sys/fs/cg[^r]*/** wklx, |
| 178 |
- deny /sys/firmware/efi/efivars/** rwklx, |
|
| 178 |
+ deny /sys/firmware/** rwklx, |
|
| 179 | 179 |
deny /sys/kernel/security/** rwklx, |
| 180 | 180 |
} |
| 181 | 181 |
``` |
| ... | ... |
@@ -35,7 +35,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
| 35 | 35 |
deny /sys/fs/[^c]*/** wklx, |
| 36 | 36 |
deny /sys/fs/c[^g]*/** wklx, |
| 37 | 37 |
deny /sys/fs/cg[^r]*/** wklx, |
| 38 |
- deny /sys/firmware/efi/efivars/** rwklx, |
|
| 38 |
+ deny /sys/firmware/** rwklx, |
|
| 39 | 39 |
deny /sys/kernel/security/** rwklx, |
| 40 | 40 |
|
| 41 | 41 |
{{if ge .Version 208095}}
|