Merge pull request from GHSA-7ww5-4wqc-m92c

[main] deny /sys/devices/virtual/powercap

Author: dmcgowan

contrib/apparmor/template.go

@@ -76,6 +76,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/fs/c[^g]*/** wklx,
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/** rwklx,
+  deny /sys/devices/virtual/powercap/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
   # allow processes within the container to trace each other,

oci/spec.go

@@ -196,6 +196,7 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error {
 				"/proc/timer_stats",
 				"/proc/sched_debug",
 				"/sys/firmware",
+				"/sys/devices/virtual/powercap",
 				"/proc/scsi",
 			},
 			ReadonlyPaths: []string{