From 693b4ac67ad0638be9defbae771f62d860380f31 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Date: Fri, 16 Sep 2016 02:21:31 +0000
Subject: [PATCH] apparmor: prohibit /sys/firmware/** from being accessed

Some firmware information including SMBIOS and ACPI tables were unexpectedly exposed

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
---
 docs/security/apparmor.md     | 4 ++--
 profiles/apparmor/template.go | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/security/apparmor.md b/docs/security/apparmor.md
index 62df4b794c..0ef5861639 100644
--- a/docs/security/apparmor.md
+++ b/docs/security/apparmor.md
@@ -59,7 +59,7 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) {
   deny /sys/fs/[^c]*/** wklx,
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
-  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/firmware/** rwklx,
   deny /sys/kernel/security/** rwklx,
 }
 ```
@@ -175,7 +175,7 @@ profile docker-nginx flags=(attach_disconnected,mediate_deleted) {
   deny /sys/fs/[^c]*/** wklx,
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
-  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/firmware/** rwklx,
   deny /sys/kernel/security/** rwklx,
 }
 ```
diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
index ada33bf0f1..dd9da97216 100644
--- a/profiles/apparmor/template.go
+++ b/profiles/apparmor/template.go
@@ -35,7 +35,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/fs/[^c]*/** wklx,
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
-  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/firmware/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
 {{if ge .Version 208095}}