contrib/apparmor: deny /sys/devices/virtual/powercap

neersighted · neersighted · commit 6c6dfcbce267 · 2023-09-18T16:57:09.000-06:00
While this is not strictly necessary as the default OCI config masks this
path, it is possible that the user disabled path masking, passed their
own list, or is using a forked (or future) daemon version that has a
modified default config/allows changing the default config.

Add some defense-in-depth by also masking out this problematic hardware
device with the AppArmor LSM.

Signed-off-by: Bjorn Neergaard &lt;bjorn.neergaard@docker.com&gt;
diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
@@ -77,6 +77,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/** rwklx,
+  deny /sys/devices/virtual/powercap/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
   # allow processes within the container to trace each other,
