From: Jim Fehlig <jfehlig@suse.com>
Date: Thu, 30 Nov 2017 17:32:30 +0000 (-0700)
Subject: apparmor: allow qemu abstraction to read /proc/pid/cmdline
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=0af5ced4b81b68be7016d1f8755db3d0c3249278;p=libvirt.git

apparmor: allow qemu abstraction to read /proc/pid/cmdline

Noticed the following denial in audit.log when shutting down
an apparmor confined domain

type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=469 ouid=0

Squelch the denial by allowing read access to /proc/<pid>/cmdline.
---

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 73bdbae872..d4fad85a18 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -25,6 +25,10 @@
   /dev/ptmx rw,
   /dev/kqemu rw,
   @{PROC}/*/status r,
+  # When qemu is signaled to terminate, it will read cmdline of signaling
+  # process for reporting purposes. Allowing read access to a process
+  # cmdline may leak sensitive information embedded in the cmdline.
+  @{PROC}/@{pid}/cmdline r,
   # Per man(5) proc, the kernel enforces that a thread may
   # only modify its comm value or those in its thread group.
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,