On Mon, 2016-12-05 at 11:21 +0000, intrigeri wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1369281 --- examples/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 11381d4df0..a07291d583 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -21,6 +21,7 @@ /dev/ptmx rw, /dev/kqemu rw, @{PROC}/*/status r, + @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/kernel/cap_last_cap r,
This rule would allow any confined guest to change the 'comm' value of any task on the system, if the system otherwise allowed it. These days that would likely be mitigated somewhat by DAC protections (ie, when qemu is run as non-root). Other than DAC (and MAC), what other protections exist that might make this rule acceptable? -- Jamie Strandboge | http://www.canonical.com