Browse code
drop useless apparmor denies
These files don't exist under proc so this rule does nothing.
They are protected against by docker's default cgroup devices since they're
both character devices and not explicitly allowed.
Signed-off-by: Tycho Andersen <tycho@docker.com>
Tycho Andersen authored on 2017/10/07 00:11:59Showing 1 changed files
| ... | ... |
@@ -24,8 +24,6 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
| 24 | 24 |
deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
|
| 25 | 25 |
deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
|
| 26 | 26 |
deny @{PROC}/sysrq-trigger rwklx,
|
| 27 |
- deny @{PROC}/mem rwklx,
|
|
| 28 |
- deny @{PROC}/kmem rwklx,
|
|
| 29 | 27 |
deny @{PROC}/kcore rwklx,
|
| 30 | 28 |
|
| 31 | 29 |
deny mount, |