Merge pull request #26618 from AkihiroSuda/fix-apparmor

apparmor: prohibit /sys/firmware/** from being accessed Upstream-commit: 07b5311147c319a003324e8f26ceb829ed5cc240 Component: engine
2016-09-16 07:41:36 -07:00
parent 9566044db8 23bac4b64f
commit a7caeb2743
2 changed files with 3 additions and 3 deletions
--- a/components/engine/docs/security/apparmor.md
+++ b/components/engine/docs/security/apparmor.md
@ -59,7 +59,7 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) {
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
-  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/firmware/** rwklx,
  deny /sys/kernel/security/** rwklx,
 }
 ```
@ -175,7 +175,7 @@ profile docker-nginx flags=(attach_disconnected,mediate_deleted) {
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
-  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/firmware/** rwklx,
  deny /sys/kernel/security/** rwklx,
 }
 ```
--- a/components/engine/profiles/apparmor/template.go
+++ b/components/engine/profiles/apparmor/template.go
@ -35,7 +35,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
-  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/firmware/** rwklx,
  deny /sys/kernel/security/** rwklx,

 {{if ge .Version 208095}}