Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

On Tue, Dec 6, 2016 at 5:40 PM, Jamie Strandboge <jamie(a)canonical.com&gt; wrote: > > I forgot to reiterate: the above is true *unless* there is another > non-DAC, non- > MAC kernel mediation (eg, does the kernel only allow modifying the 'comm' > value > of its own threads? If so, then the rule would be safe to add to the > default > abstraction (though we should document that it is safe)). > Thanks for your help Jamie on thinking through the implications of this - I really highly appreciate! For the given interface the v2 should be safe see e.g. http://man7.org/linux/man-pages/man5/proc.5.html Quoting from there: "... A thread may modify *its* comm value, or that of any of other thread *in the same thread group* ..."