[libvirt] [PATCH] apparmor: allow qemu abstraction to read /proc/pid/cmdline

Jim Fehlig jfehlig at suse.com
Fri Dec 1 15:32:08 UTC 2017 

On 12/01/2017 06:26 AM, Jamie Strandboge wrote:
> On Thu, 2017-11-30 at 10:43 -0700, Jim Fehlig wrote:
>> Noticed the following denial in audit.log when shutting down
>> an apparmor confined domain
>>
>> type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
>> operation="open" profile="libvirt-66154842-e926-4f92-92f0-
>> 1c1bf61dd1ff"
>> name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
>> requested_mask="r" denied_mask="r" fsuid=469 ouid=0
>>
>> Squelch the denial by allowing read access to /proc/<pid>/cmdline.
>>
>> Signed-off-by: Jim Fehlig <jfehlig at suse.com>
>> ---
>>
>> Note: In the audit.log snippet, PID 1475 is libvirtd and 2958 is the
>> qemu process. I must admit it is not clear to me why
>> /proc/<libvirtd-pid>/cmdline is read on domain shutdown.
>>
>>   examples/apparmor/libvirt-qemu | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/examples/apparmor/libvirt-qemu
>> b/examples/apparmor/libvirt-qemu
>> index 73bdbae87..3d9eed9ec 100644
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>> @@ -25,6 +25,7 @@
>>     /dev/ptmx rw,
>>     /dev/kqemu rw,
>>     @{PROC}/*/status r,
>> +  @{PROC}/@{pid}/cmdline r,
> 
> Note this is an information leak and allows reading potentially
> sensitive information, such as passwords given on the command line. Eg:
> 
> $ cat /proc/13335/cmdline | tr '\0' ' '
> sh /tmp/testme --password=sensitive

Good point.

> Would it be possible to use 'owner' match? Eg:
> 
>    owner @{PROC}/@{pid}/cmdline r,

I still see the denial with 'owner'. I suppose that would only work if qemu is 
invoked with libvirtd euid.

> Either way, I think a comment is warranted above the rule stating it is
> an information leak.

How about the below squashed in? Or drop this patch and live with the denial? I 
think the only side-affect is inability for qemu to report the signaling process 
name.

Regards,
Jim

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 3d9eed9ec..d4fad85a1 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -25,6 +25,9 @@
    /dev/ptmx rw,
    /dev/kqemu rw,
    @{PROC}/*/status r,
+  # When qemu is signaled to terminate, it will read cmdline of signaling
+  # process for reporting purposes. Allowing read access to a process
+  # cmdline may leak sensitive information embedded in the cmdline.
    @{PROC}/@{pid}/cmdline r,
    # Per man(5) proc, the kernel enforces that a thread may
    # only modify its comm value or those in its thread group.

More information about the libvir-list mailing list