Hi, Michal Privoznik: > On 11/30/2017 06:43 PM, Jim Fehlig wrote: >> I must admit it is not clear to me why >> /proc/<libvirtd-pid>/cmdline is read on domain shutdown. > It's result of these qemu patches: > fbe7e3327a8cfa1b08664c2cda7a0a341cf0530a > 7dc9ae4339faa97e89daadb2e1098147ab4aadc8 > Whenever qemu receives a signal it reports PID that sent it. Thanks a lot for investigating! >> examples/apparmor/libvirt-qemu | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu >> index 73bdbae87..3d9eed9ec 100644 >> --- a/examples/apparmor/libvirt-qemu >> +++ b/examples/apparmor/libvirt-qemu >> @@ -25,6 +25,7 @@ >> /dev/ptmx rw, >> /dev/kqemu rw, >> @{PROC}/*/status r, >> + @{PROC}/@{pid}/cmdline r, >> # Per man(5) proc, the kernel enforces that a thread may >> # only modify its comm value or those in its thread group. >> owner @{PROC}/@{pid}/task/@{tid}/comm rw, >> > ACK and safe for the freeze. +1 (I've seen this denial for a while but did not notice any problem it would cause, so I was wondering if we should allow this operation or just ignore the denial & silence the logs. Now that we understand what it is about, I agree we should allow it. Denying this access would make it harder to debug issues in the future e.g. if QEMU ever starts needing it for other, more critical reasons.) Cheers, -- intrigeri -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list