Skip to content

Commit

Permalink
Merge pull request from GHSA-7ww5-4wqc-m92c
Browse files Browse the repository at this point in the history
[release/1.6 backport] deny /sys/devices/virtual/powercap
  • Loading branch information
dmcgowan authored Dec 8, 2023
2 parents e7ca005 + 02f07fe commit 746b910
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions contrib/apparmor/template.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/** rwklx,
deny /sys/devices/virtual/powercap/** rwklx,
deny /sys/kernel/security/** rwklx,
{{if ge .Version 208095}}
Expand Down
1 change: 1 addition & 0 deletions oci/spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,7 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error {
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/sys/devices/virtual/powercap",
"/proc/scsi",
},
ReadonlyPaths: []string{
Expand Down

0 comments on commit 746b910

Please sign in to comment.