contrib/apparmor: deny /sys/devices/virtual/powercap

While this is not strictly necessary as the default OCI config masks this path, it is possible that the user disabled path masking, passed their own list, or is using a forked (or future) daemon version that has a modified default config/allows changing the default config. Add some defense-in-depth by also masking out this problematic hardware device with the AppArmor LSM. Signed-off-by: Bjorn Neergaard <[email protected]> (cherry picked from commit 6c6dfcb) Signed-off-by: Bjorn Neergaard <[email protected]>
containerd · Sep 18, 2023 · 02f07fe · 02f07fe
1 parent c94577e
commit 02f07fe
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
@@ -81,6 +81,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/** rwklx,
+  deny /sys/devices/virtual/powercap/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
 {{if ge .Version 208095}}