apparmor: allow writes to sem* and msg* sysctls

author Serge Hallyn <serge.hallyn@ubuntu.com>

Tue, 29 Apr 2014 19:57:49 +0000 (14:57 -0500)

committer Serge Hallyn <serge.hallyn@ubuntu.com>

Tue, 29 Apr 2014 21:45:16 +0000 (16:45 -0500)
author Serge Hallyn <serge.hallyn@ubuntu.com>
Tue, 29 Apr 2014 19:57:49 +0000 (14:57 -0500)
committer Serge Hallyn <serge.hallyn@ubuntu.com>
Tue, 29 Apr 2014 21:45:16 +0000 (16:45 -0500)
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base

index c109baad1611c828766b7ce6e1a217c1c7709308..71e93487ec4d6099ecdc7c809af7004d23ad2017 100644 (file)
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -55,7 +55,7 @@
    deny /proc/sys/ker[^n]*{,/**} wklx,
    deny /proc/sys/kern[^e]*{,/**} wklx,
    deny /proc/sys/kerne[^l]*{,/**} wklx,
-  deny /proc/sys/kernel/[^shd]*{,/**} wklx,
+  deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
    deny /proc/sys/kernel/d[^o]*{,/**} wklx,
    deny /proc/sys/kernel/do[^m]*{,/**} wklx,
    deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
@@ -74,7 +74,12 @@
    deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
    deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
    deny /proc/sys/kernel/hostname?*{,/**} wklx,
-  deny /proc/sys/kernel/s[^h]*{,/**} wklx,
+  deny /proc/sys/kernel/m[^s]*{,/**} wklx,
+  deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
+  deny /proc/sys/kernel/msg*/** wklx,
+  deny /proc/sys/kernel/s[^he]*{,/**} wklx,
+  deny /proc/sys/kernel/se[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/sem*/** wklx,
    deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
    deny /proc/sys/kernel/shm*/** wklx,
    deny /proc/sys/kernel?*{,/**} wklx,
diff --git a/config/apparmor/container-rules b/config/apparmor/container-rules

index 2c8c0b494a2a4e52e265dea65f945ff3cdc771df..ea5c4086f45cd36d53b1481a131a9fb292945514 100644 (file)
--- a/config/apparmor/container-rules
+++ b/config/apparmor/container-rules
@@ -5,7 +5,7 @@
    deny /proc/sys/ker[^n]*{,/**} wklx,
    deny /proc/sys/kern[^e]*{,/**} wklx,
    deny /proc/sys/kerne[^l]*{,/**} wklx,
-  deny /proc/sys/kernel/[^shd]*{,/**} wklx,
+  deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
    deny /proc/sys/kernel/d[^o]*{,/**} wklx,
    deny /proc/sys/kernel/do[^m]*{,/**} wklx,
    deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
@@ -24,7 +24,12 @@
    deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
    deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
    deny /proc/sys/kernel/hostname?*{,/**} wklx,
-  deny /proc/sys/kernel/s[^h]*{,/**} wklx,
+  deny /proc/sys/kernel/m[^s]*{,/**} wklx,
+  deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
+  deny /proc/sys/kernel/msg*/** wklx,
+  deny /proc/sys/kernel/s[^he]*{,/**} wklx,
+  deny /proc/sys/kernel/se[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/sem*/** wklx,
    deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
    deny /proc/sys/kernel/shm*/** wklx,
    deny /proc/sys/kernel?*{,/**} wklx,
diff --git a/config/apparmor/container-rules.base b/config/apparmor/container-rules.base

index 615f01519b4afe124b9d9d568198c1763fe49b73..a657481c64814aca8cc29a143e048a030c1d56b0 100644 (file)
--- a/config/apparmor/container-rules.base
+++ b/config/apparmor/container-rules.base
@@ -8,6 +8,8 @@ allow /sys/devices/virtual/net/**
  allow /sys/class/net/**
  block /proc/sys
  allow /proc/sys/kernel/shm*
+allow /proc/sys/kernel/sem*
+allow /proc/sys/kernel/msg*
  allow /proc/sys/kernel/hostname
  allow /proc/sys/kernel/domainname
  allow /proc/sys/net/**
author	Serge Hallyn <serge.hallyn@ubuntu.com>
	Tue, 29 Apr 2014 19:57:49 +0000 (14:57 -0500)
committer	Serge Hallyn <serge.hallyn@ubuntu.com>
	Tue, 29 Apr 2014 21:45:16 +0000 (16:45 -0500)
config/apparmor/abstractions/container-base		patch \| blob \| blame \| history
config/apparmor/container-rules		patch \| blob \| blame \| history
config/apparmor/container-rules.base		patch \| blob \| blame \| history