From a73e7037e5a5f7af94216e2147c6ef675b2323f6 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri+libvirt@boum.org>
Date: Mon, 12 Dec 2016 10:59:32 +0000
Subject: [PATCH] AppArmor: allow QEMU to set_process_name.

https://bugzilla.redhat.com/show_bug.cgi?id=1369281

Acked-by: Christian Ehrhardt <christian.ehrhardt@canonical.co>
---
 examples/apparmor/libvirt-qemu | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 133c2eb093..a9020aa807 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -21,6 +21,9 @@
   /dev/ptmx rw,
   /dev/kqemu rw,
   @{PROC}/*/status r,
+  # Per man(5) proc, the kernel enforces that a thread may
+  # only modify its comm value or those in its thread group.
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   @{PROC}/sys/kernel/cap_last_cap r,
 
   # For hostdev access. The actual devices will be added dynamically