github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request from GHSA-7ww5-4wqc-m92c

Browse Source 
[main] deny /sys/devices/virtual/powercap
This commit is contained in:
Derek McGowan 2023-12-08 11:35:49 -08:00 committed by GitHub
commit 9e4d53df75
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
contrib/apparmor/template.go
View File

@ -76,6 +76,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/** rwklx,
deny /sys/devices/virtual/powercap/** rwklx,
deny /sys/kernel/security/** rwklx,
# allow processes within the container to trace each other,

1
oci/spec.go
View File

@ -196,6 +196,7 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error {
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/sys/devices/virtual/powercap",
"/proc/scsi",
},
ReadonlyPaths: []string{