Merge pull request from GHSA-jq35-85cj-fj4p

thaJeztah · web-flow · commit af608045eef0 · 2023-10-25T23:57:51.000+02:00
[24.0 backport] deny /sys/devices/virtual/powercap
diff --git a/oci/defaults.go b/oci/defaults.go
@@ -113,6 +113,7 @@ func DefaultLinuxSpec() specs.Spec {
 				"/proc/sched_debug",
 				"/proc/scsi",
 				"/sys/firmware",
+				"/sys/devices/virtual/powercap",
 			},
 			ReadonlyPaths: []string{
 				"/proc/bus",
diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
@@ -47,6 +47,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/** rwklx,
+  deny /sys/devices/virtual/powercap/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
   # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
