apparmor: allow qemu abstraction to read /proc/pid/cmdline

Noticed the following denial in audit.log when shutting down
an apparmor confined domain

type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=469 ouid=0

Squelch the denial by allowing read access to /proc/<pid>/cmdline.

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 73bdbae87253e1e6347805fa8c0ea4af10acb4f5..d4fad85a1801fd6c65d23d528f51bd19ba039415 100644 (file)
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -25,6 +25,10 @@
   /dev/ptmx rw,
   /dev/kqemu rw,
   @{PROC}/*/status r,
+  # When qemu is signaled to terminate, it will read cmdline of signaling
+  # process for reporting purposes. Allowing read access to a process
+  # cmdline may leak sensitive information embedded in the cmdline.
+  @{PROC}/@{pid}/cmdline r,
   # Per man(5) proc, the kernel enforces that a thread may
   # only modify its comm value or those in its thread group.
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,