Re: [PATCH] apparmor: allow qemu abstraction to read /proc/pid/cmdline

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Michal Privoznik:
> On 11/30/2017 06:43 PM, Jim Fehlig wrote:
>> I must admit it is not clear to me why
>> /proc/<libvirtd-pid>/cmdline is read on domain shutdown.

> It's result of these qemu patches:

> fbe7e3327a8cfa1b08664c2cda7a0a341cf0530a
> 7dc9ae4339faa97e89daadb2e1098147ab4aadc8

> Whenever qemu receives a signal it reports PID that sent it.

Thanks a lot for investigating!

>>  examples/apparmor/libvirt-qemu | 1 +
>>  1 file changed, 1 insertion(+)
>> 
>> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
>> index 73bdbae87..3d9eed9ec 100644
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>> @@ -25,6 +25,7 @@
>>    /dev/ptmx rw,
>>    /dev/kqemu rw,
>>    @{PROC}/*/status r,
>> +  @{PROC}/@{pid}/cmdline r,
>>    # Per man(5) proc, the kernel enforces that a thread may
>>    # only modify its comm value or those in its thread group.
>>    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
>> 

> ACK and safe for the freeze.

+1

(I've seen this denial for a while but did not notice any problem it
would cause, so I was wondering if we should allow this operation or
just ignore the denial & silence the logs. Now that we understand what
it is about, I agree we should allow it. Denying this access would
make it harder to debug issues in the future e.g. if QEMU ever starts
needing it for other, more critical reasons.)

Cheers,
-- 
intrigeri

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux