From 6c6dfcbce267d2a709b409c6c1947ef729413519 Mon Sep 17 00:00:00 2001
From: Bjorn Neergaard <bjorn.neergaard@docker.com>
Date: Mon, 18 Sep 2023 16:57:09 -0600
Subject: [PATCH] contrib/apparmor: deny /sys/devices/virtual/powercap

While this is not strictly necessary as the default OCI config masks this
path, it is possible that the user disabled path masking, passed their
own list, or is using a forked (or future) daemon version that has a
modified default config/allows changing the default config.

Add some defense-in-depth by also masking out this problematic hardware
device with the AppArmor LSM.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
---
 contrib/apparmor/template.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
index 20ac3c9bf..75df0d99e 100644
--- a/contrib/apparmor/template.go
+++ b/contrib/apparmor/template.go
@@ -77,6 +77,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/** rwklx,
+  deny /sys/devices/virtual/powercap/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
   # allow processes within the container to trace each other,