Re: [PATCH] apparmor: allow qemu abstraction to read /proc/pid/cmdline

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2017-11-30 at 10:43 -0700, Jim Fehlig wrote:
> Noticed the following denial in audit.log when shutting down
> an apparmor confined domain
> 
> type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
> operation="open" profile="libvirt-66154842-e926-4f92-92f0-
> 1c1bf61dd1ff"
> name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=469 ouid=0
> 
> Squelch the denial by allowing read access to /proc/<pid>/cmdline.
> 
> Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
> ---
> 
> Note: In the audit.log snippet, PID 1475 is libvirtd and 2958 is the
> qemu process. I must admit it is not clear to me why
> /proc/<libvirtd-pid>/cmdline is read on domain shutdown.
> 
>  examples/apparmor/libvirt-qemu | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index 73bdbae87..3d9eed9ec 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -25,6 +25,7 @@
>    /dev/ptmx rw,
>    /dev/kqemu rw,
>    @{PROC}/*/status r,
> +  @{PROC}/@{pid}/cmdline r,

Note this is an information leak and allows reading potentially
sensitive information, such as passwords given on the command line. Eg:

$ cat /proc/13335/cmdline | tr '\0' ' '
sh /tmp/testme --password=sensitive

Would it be possible to use 'owner' match? Eg:

  owner @{PROC}/@{pid}/cmdline r,

Either way, I think a comment is warranted above the rule stating it is
an information leak.

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: This is a digitally signed message part

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux