Re: [PATCH] apparmor: allow qemu abstraction to read /proc/pid/cmdline

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/04/2017 04:03 AM, Michal Privoznik wrote:
On 12/01/2017 02:26 PM, Jamie Strandboge wrote:
On Thu, 2017-11-30 at 10:43 -0700, Jim Fehlig wrote:
Noticed the following denial in audit.log when shutting down
an apparmor confined domain

type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
operation="open" profile="libvirt-66154842-e926-4f92-92f0-
1c1bf61dd1ff"
name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=469 ouid=0

Squelch the denial by allowing read access to /proc/<pid>/cmdline.

Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
---

Note: In the audit.log snippet, PID 1475 is libvirtd and 2958 is the
qemu process. I must admit it is not clear to me why
/proc/<libvirtd-pid>/cmdline is read on domain shutdown.

  examples/apparmor/libvirt-qemu | 1 +
  1 file changed, 1 insertion(+)

diff --git a/examples/apparmor/libvirt-qemu
b/examples/apparmor/libvirt-qemu
index 73bdbae87..3d9eed9ec 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -25,6 +25,7 @@
    /dev/ptmx rw,
    /dev/kqemu rw,
    @{PROC}/*/status r,
+  @{PROC}/@{pid}/cmdline r,

Note this is an information leak and allows reading potentially
sensitive information, such as passwords given on the command line. Eg:

$ cat /proc/13335/cmdline | tr '\0' ' '
sh /tmp/testme --password=sensitive

Well, I'd say that passing passwords (or any sensitive information)
through command line is doomed by definition. Anybody can read that
(doing mere ps is enough).


Would it be possible to use 'owner' match? Eg:

   owner @{PROC}/@{pid}/cmdline r,

Okay, this narrows the attack surface, but I guess that somebody else
doing `ps' on the system will be able to obtain the password anyway.

Prefixing the rule with 'owner' didn't work as noted earlier in the thread

https://www.redhat.com/archives/libvir-list/2017-December/msg00031.html

I've pushed the patch with the comment squashed in, albeit dangerously close to the release :-).

Regards,
Jim

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux