mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 05:35:25 +00:00
apparmor: allow qemu abstraction to read /proc/pid/cmdline
Noticed the following denial in audit.log when shutting down an apparmor confined domain type=AVC msg=audit(1512002299.742:131): apparmor="DENIED" operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=469 ouid=0 Squelch the denial by allowing read access to /proc/<pid>/cmdline.
This commit is contained in:
parent
684c0f1811
commit
0af5ced4b8
@ -25,6 +25,10 @@
|
||||
/dev/ptmx rw,
|
||||
/dev/kqemu rw,
|
||||
@{PROC}/*/status r,
|
||||
# When qemu is signaled to terminate, it will read cmdline of signaling
|
||||
# process for reporting purposes. Allowing read access to a process
|
||||
# cmdline may leak sensitive information embedded in the cmdline.
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
# Per man(5) proc, the kernel enforces that a thread may
|
||||
# only modify its comm value or those in its thread group.
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
Loading…
Reference in New Issue
Block a user