Re: [PATCH] AppArmor: allow QEMU to set_process_name.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Tue, Dec 6, 2016 at 5:40 PM, Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:
I forgot to reiterate: the above is true *unless* there is another non-DAC, non-
MAC kernel mediation (eg, does the kernel only allow modifying the 'comm' value
of its own threads? If so, then the rule would be safe to add to the default
abstraction (though we should document that it is safe)).

Thanks for your help Jamie on thinking through the implications of this - I really highly appreciate!
For the given interface the v2 should be safe see e.g. http://man7.org/linux/man-pages/man5/proc.5.html
Quoting from there: "... A thread may modify its comm value, or that of any of other thread in the same thread group ..."


--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux