On Thu, 2017-11-30 at 10:43 -0700, Jim Fehlig wrote:
Noticed the following denial in audit.log when shutting down an apparmor confined domain
type=AVC msg=audit(1512002299.742:131): apparmor="DENIED" operation="open" profile="libvirt-66154842-e926-4f92-92f0- 1c1bf61dd1ff" name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=469 ouid=0
Squelch the denial by allowing read access to /proc/<pid>/cmdline.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> ---
Note: In the audit.log snippet, PID 1475 is libvirtd and 2958 is the qemu process. I must admit it is not clear to me why /proc/<libvirtd-pid>/cmdline is read on domain shutdown.
examples/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 73bdbae87..3d9eed9ec 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -25,6 +25,7 @@ /dev/ptmx rw, /dev/kqemu rw, @{PROC}/*/status r, + @{PROC}/@{pid}/cmdline r,
Note this is an information leak and allows reading potentially sensitive information, such as passwords given on the command line. Eg: $ cat /proc/13335/cmdline | tr '\0' ' ' sh /tmp/testme --password=sensitive Would it be possible to use 'owner' match? Eg: owner @{PROC}/@{pid}/cmdline r, Either way, I think a comment is warranted above the rule stating it is an information leak. -- Jamie Strandboge | http://www.canonical.com