Re: [libvirt] [PATCH] apparmor: allow qemu abstraction to read /proc/pid/cmdline

On 12/01/2017 02:26 PM, Jamie Strandboge wrote: > On Thu, 2017-11-30 at 10:43 -0700, Jim Fehlig wrote: > > Noticed the following denial in audit.log when shutting down > > an apparmor confined domain > > > > type=AVC msg=audit(1512002299.742:131): apparmor="DENIED" > > operation="open" profile="libvirt-66154842-e926-4f92-92f0- > > 1c1bf61dd1ff" > > name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86" > > requested_mask="r" denied_mask="r" fsuid=469 ouid=0 > > > > Squelch the denial by allowing read access to > > /proc/<pid>/cmdline. > > > > Signed-off-by: Jim Fehlig <jfehlig(a)suse.com&gt; > > --- > > > > Note: In the audit.log snippet, PID 1475 is libvirtd and 2958 is > > the > > qemu process. I must admit it is not clear to me why > > /proc/<libvirtd-pid>/cmdline is read on domain shutdown. > > > > examples/apparmor/libvirt-qemu | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/examples/apparmor/libvirt-qemu > > b/examples/apparmor/libvirt-qemu > > index 73bdbae87..3d9eed9ec 100644 > > --- a/examples/apparmor/libvirt-qemu > > +++ b/examples/apparmor/libvirt-qemu > > @@ -25,6 +25,7 @@ > > /dev/ptmx rw, > > /dev/kqemu rw, > > @{PROC}/*/status r, > > + @{PROC}/@{pid}/cmdline r, > > Note this is an information leak and allows reading potentially > sensitive information, such as passwords given on the command line. > Eg: > > $ cat /proc/13335/cmdline | tr '\0' ' ' > sh /tmp/testme --password=sensitive Well, I'd say that passing passwords (or any sensitive information) through command line is doomed by definition. Anybody can read that (doing mere ps is enough). > > Would it be possible to use 'owner' match? Eg: > > owner @{PROC}/@{pid}/cmdline r, Okay, this narrows the attack surface, but I guess that somebody else doing `ps' on the system will be able to obtain the password anyway.