[libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.
Christian Ehrhardt
christian.ehrhardt at canonical.com
Wed Dec 7 07:37:24 UTC 2016
On Tue, Dec 6, 2016 at 5:40 PM, Jamie Strandboge <jamie at canonical.com>
wrote:
> I forgot to reiterate: the above is true *unless* there is another
> non-DAC, non-
> MAC kernel mediation (eg, does the kernel only allow modifying the 'comm'
> value
> of its own threads? If so, then the rule would be safe to add to the
> default
> abstraction (though we should document that it is safe)).
>
Thanks for your help Jamie on thinking through the implications of this - I
really highly appreciate!
For the given interface the v2 should be safe see e.g.
http://man7.org/linux/man-pages/man5/proc.5.html
Quoting from there: "... A thread may modify *its* comm value, or that of
any of other thread *in the same thread group* ..."
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20161207/add626bc/attachment-0001.htm>
More information about the libvir-list
mailing list