[libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.
christian.ehrhardt at canonical.com
Wed Dec 7 07:37:24 UTC 2016
On Tue, Dec 6, 2016 at 5:40 PM, Jamie Strandboge <jamie at canonical.com>
> I forgot to reiterate: the above is true *unless* there is another
> non-DAC, non-
> MAC kernel mediation (eg, does the kernel only allow modifying the 'comm'
> of its own threads? If so, then the rule would be safe to add to the
> abstraction (though we should document that it is safe)).
Thanks for your help Jamie on thinking through the implications of this - I
really highly appreciate!
For the given interface the v2 should be safe see e.g.
Quoting from there: "... A thread may modify *its* comm value, or that of
any of other thread *in the same thread group* ..."
Software Engineer, Ubuntu Server
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the libvir-list