Re: [libvirt] [PATCH] apparmor: allow qemu abstraction to read /proc/pid/cmdline
On 12/01/2017 02:26 PM, Jamie Strandboge wrote:
On Thu, 2017-11-30 at 10:43 -0700, Jim Fehlig wrote:
> Noticed the following denial in audit.log when shutting down
> an apparmor confined domain
>
> type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
> operation="open" profile="libvirt-66154842-e926-4f92-92f0-
> 1c1bf61dd1ff"
> name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=469 ouid=0
>
> Squelch the denial by allowing read access to /proc/<pid>/cmdline.
>
> Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
> ---
>
> Note: In the audit.log snippet, PID 1475 is libvirtd and 2958 is the
> qemu process. I must admit it is not clear to me why
> /proc/<libvirtd-pid>/cmdline is read on domain shutdown.
>
> examples/apparmor/libvirt-qemu | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index 73bdbae87..3d9eed9ec 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -25,6 +25,7 @@
> /dev/ptmx rw,
> /dev/kqemu rw,
> @{PROC}/*/status r,
> + @{PROC}/@{pid}/cmdline r,
Note this is an information leak and allows reading potentially
sensitive information, such as passwords given on the command line. Eg:
$ cat /proc/13335/cmdline | tr '\0' ' '
sh /tmp/testme --password=sensitive
Well, I'd say that passing passwords (or any sensitive information)
through command line is doomed by definition. Anybody can read that
(doing mere ps is enough).
Would it be possible to use 'owner' match? Eg:
owner @{PROC}/@{pid}/cmdline r,
Okay, this narrows the attack surface, but I guess that somebody else
doing `ps' on the system will be able to obtain the password anyway.
Michal