Merge pull request from GHSA-7ww5-4wqc-m92c

[main] deny /sys/devices/virtual/powercap
2023-12-08 11:35:49 -08:00
parent 4a6a5af8d0 6c6dfcbce2
commit 9e4d53df75
2 changed files with 2 additions and 0 deletions
--- a/contrib/apparmor/template.go
+++ b/contrib/apparmor/template.go
@@ -76,6 +76,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
  deny /sys/firmware/** rwklx,
+  deny /sys/devices/virtual/powercap/** rwklx,
  deny /sys/kernel/security/** rwklx,

  # allow processes within the container to trace each other,