Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.
On Mon, 2016-12-05 at 11:21 +0000, intrigeri wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1369281
---
examples/apparmor/libvirt-qemu | 1 +
1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 11381d4df0..a07291d583 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -21,6 +21,7 @@
/dev/ptmx rw,
/dev/kqemu rw,
@{PROC}/*/status r,
+ @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/sys/kernel/cap_last_cap r,
This rule would allow any confined guest to change the 'comm' value of any task
on the system, if the system otherwise allowed it. These days that would likely
be mitigated somewhat by DAC protections (ie, when qemu is run as non-root).
Other than DAC (and MAC), what other protections exist that might make this rule
acceptable?
--
Jamie Strandboge | http://www.canonical.com
Attachments:
- signature.asc (application/pgp-signature — 819 bytes)