summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDjalal Harouni <tixxdz@opendz.org>2016-09-25 11:30:11 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-09-25 11:30:11 +0200
commit49accde7bd915944d99c947dca0cf26ae0f24165 (patch)
treee4f4fa6145b8b7ced935c228d264ea5f55834aa9 /src
parent9221aec8d09f3b55a08fcbe8012e48129474ab54 (diff)
core:sandbox: add more /proc/* entries to ProtectKernelTunables=
Make ALSA entries, latency interface, mtrr, apm/acpi, suspend interface, filesystems configuration and IRQ tuning readonly. Most of these interfaces now days should be in /sys but they are still available through /proc, so just protect them. This patch does not touch /proc/net/...
Diffstat (limited to 'src')
-rw-r--r--src/core/namespace.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 8aa8b83c88..3234fab4bc 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -74,7 +74,18 @@ typedef struct TargetMount {
static const TargetMount protect_kernel_tunables_table[] = {
{ "/proc/sys", READONLY, false },
{ "/proc/sysrq-trigger", READONLY, true },
+ { "/proc/latency_stats", READONLY, true },
+ { "/proc/mtrr", READONLY, true },
+ { "/proc/apm", READONLY, true },
+ { "/proc/acpi", READONLY, true },
+ { "/proc/timer_stats", READONLY, true },
+ { "/proc/asound", READONLY, true },
+ { "/proc/bus", READONLY, true },
+ { "/proc/fs", READONLY, true },
+ { "/proc/irq", READONLY, true },
{ "/sys", READONLY, false },
+ { "/sys/kernel/debug", READONLY, true },
+ { "/sys/kernel/tracing", READONLY, true },
{ "/sys/fs/cgroup", READWRITE, false }, /* READONLY is set by ProtectControlGroups= option */
};