apparmor: allow qemu abstraction to read /proc/pid/cmdline

Noticed the following denial in audit.log when shutting down an apparmor confined domain type=AVC msg=audit(1512002299.742:131): apparmor="DENIED" operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=469 ouid=0 Squelch the denial by allowing read access to /proc/<pid>/cmdline.

apparmor: allow qemu abstraction to read /proc/pid/cmdline
Noticed the following denial in audit.log when shutting down an apparmor confined domain type=AVC msg=audit(1512002299.742:131): apparmor="DENIED" operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=469 ouid=0 Squelch the denial by allowing read access to /proc/<pid>/cmdline.
0af5ced4 · Jim Fehlig · 684c0f18 · 0af5ced4
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

examples/apparmor/libvirt-qemu examples/apparmor/libvirt-qemu +4 -0

未找到文件。
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -25,6 +25,10 @@
  /dev/ptmx rw,
  /dev/kqemu rw,
  @{PROC}/*/status r,
+  # When qemu is signaled to terminate, it will read cmdline of signaling
+  # process for reporting purposes. Allowing read access to a process
+  # cmdline may leak sensitive information embedded in the cmdline.
+  @{PROC}/@{pid}/cmdline r,
  # Per man(5) proc, the kernel enforces that a thread may
  # only modify its comm value or those in its thread group.
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,