-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Debian][aa profiles] Also deny /proc/acpi to the containers #3115
Comments
Ah yeah, sounds like something we should have an apparmor deny for that one too. |
@stgraber I could do it yeah, just confirm me that this diff is fine with you
|
@stgraber done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
It occurred to me via bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906805 on Debian that LXC might be vulnerable to CVE-2018-10892.
I gave a look at the apparmor profiles and the source code, and nothing seems to mask /proc/acpi from the container when it's not an unprivileged one.
Did I miss something? Otherwise maybe it'd be a good idea to prevent the access to /proc/acpi via apparmor, or, better, via the core code of LXC with, potentially, a config parameter to allow the access to /proc/acpi?
With best regards <3
The text was updated successfully, but these errors were encountered: