[aa-profile] Deny access to /proc/acpi/**

Signed-off-by: Pierre-Elliott Bécue <becue@crans.org>
2025-08-30 22:49:34 +00:00 · 2019-08-10 22:07:42 +02:00
parent 772900e7d2
commit ec90f35b4c
1 changed files with 1 additions and 0 deletions
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -73,6 +73,7 @@
  # block some other dangerous paths
  deny @{PROC}/kcore rwklx,
  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/acpi/** rwklx,

  # deny writes in /sys except for /sys/fs/cgroup, also allow
  # fusectl, securityfs and debugfs to be mounted there (read-only)