Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Debian][aa profiles] Also deny /proc/acpi to the containers #3115

Closed
P-EB opened this issue Aug 5, 2019 · 3 comments · Fixed by #3117
Closed

[Debian][aa profiles] Also deny /proc/acpi to the containers #3115

P-EB opened this issue Aug 5, 2019 · 3 comments · Fixed by #3117

Comments

@P-EB
Copy link
Contributor

P-EB commented Aug 5, 2019

Hi,

It occurred to me via bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906805 on Debian that LXC might be vulnerable to CVE-2018-10892.

I gave a look at the apparmor profiles and the source code, and nothing seems to mask /proc/acpi from the container when it's not an unprivileged one.

Did I miss something? Otherwise maybe it'd be a good idea to prevent the access to /proc/acpi via apparmor, or, better, via the core code of LXC with, potentially, a config parameter to allow the access to /proc/acpi?

With best regards <3
@stgraber
Copy link
Member

stgraber commented Aug 5, 2019

Ah yeah, sounds like something we should have an apparmor deny for that one too.
Want to send a PR that adds it?

@P-EB
Copy link
Contributor Author

P-EB commented Aug 7, 2019
edited

@stgraber I could do it yeah, just confirm me that this diff is fine with you

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in  
index 1a3ead8..2606fb6 100644                                                                                 
--- a/config/apparmor/abstractions/container-base.in                                                          
+++ b/config/apparmor/abstractions/container-base.in                                                          
@@ -73,6 +73,7 @@                                                                                             
   # block some other dangerous paths                                                                         
   deny @{PROC}/kcore rwklx,                                                                                  
   deny @{PROC}/sysrq-trigger rwklx,                                                                          
+  deny @{PROC}/acpi/** rwklx,                                                                                
                                                                                                              
   # deny writes in /sys except for /sys/fs/cgroup, also allow                                                
   # fusectl, securityfs and debugfs to be mounted there (read-only)

@P-EB P-EB mentioned this issue Aug 10, 2019
Merged
@P-EB
Copy link
Contributor Author

P-EB commented Aug 10, 2019

@stgraber done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[aa-profile] Deny access to /proc/acpi/** P-EB/lxc
2 participants
@stgraber @P-EB