Browse code
Merge pull request #15571 from ewindisch/apparmor_denywproc
AppArmor: Deny w to /proc/* files
David Calavera authored on 2015/08/24 18:03:41Showing 2 changed files
| ... | ... |
@@ -40,14 +40,11 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
| 40 | 40 |
file, |
| 41 | 41 |
umount, |
| 42 | 42 |
|
| 43 |
- deny @{PROC}/sys/fs/** wklx,
|
|
| 44 |
- deny @{PROC}/fs/** wklx,
|
|
| 43 |
+ deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
|
|
| 45 | 44 |
deny @{PROC}/sysrq-trigger rwklx,
|
| 46 | 45 |
deny @{PROC}/mem rwklx,
|
| 47 | 46 |
deny @{PROC}/kmem rwklx,
|
| 48 | 47 |
deny @{PROC}/kcore rwklx,
|
| 49 |
- deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
|
|
| 50 |
- deny @{PROC}/sys/kernel/*/** wklx,
|
|
| 51 | 48 |
|
| 52 | 49 |
deny mount, |
| 53 | 50 |
|
| ... | ... |
@@ -2808,6 +2808,18 @@ func (s *DockerSuite) TestAppArmorTraceSelf(c *check.C) {
|
| 2808 | 2808 |
} |
| 2809 | 2809 |
} |
| 2810 | 2810 |
|
| 2811 |
+func (s *DockerSuite) TestAppArmorDeniesChmodProc(c *check.C) {
|
|
| 2812 |
+ testRequires(c, SameHostDaemon, NativeExecDriver, Apparmor) |
|
| 2813 |
+ _, exitCode, _ := dockerCmdWithError("run", "busybox", "chmod", "744", "/proc/cpuinfo")
|
|
| 2814 |
+ if exitCode == 0 {
|
|
| 2815 |
+ // If our test failed, attempt to repair the host system... |
|
| 2816 |
+ _, exitCode, _ := dockerCmdWithError("run", "busybox", "chmod", "444", "/proc/cpuinfo")
|
|
| 2817 |
+ if exitCode == 0 {
|
|
| 2818 |
+ c.Fatal("AppArmor was unsuccessful in prohibiting chmod of /proc/* files.")
|
|
| 2819 |
+ } |
|
| 2820 |
+ } |
|
| 2821 |
+} |
|
| 2822 |
+ |
|
| 2811 | 2823 |
func (s *DockerSuite) TestRunCapAddSYSTIME(c *check.C) {
|
| 2812 | 2824 |
testRequires(c, NativeExecDriver) |
| 2813 | 2825 |
|