[libvirt] [PATCH] apparmor: allow qemu abstraction to read /proc/pid/cmdline

Michal Privoznik mprivozn at redhat.com
Fri Dec 1 08:21:19 UTC 2017

On 11/30/2017 06:43 PM, Jim Fehlig wrote:
> Noticed the following denial in audit.log when shutting down
> an apparmor confined domain
> type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
> operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
> name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=469 ouid=0
> Squelch the denial by allowing read access to /proc/<pid>/cmdline.
> Signed-off-by: Jim Fehlig <jfehlig at suse.com>
> ---
> Note: In the audit.log snippet, PID 1475 is libvirtd and 2958 is the
> qemu process. I must admit it is not clear to me why
> /proc/<libvirtd-pid>/cmdline is read on domain shutdown.

It's result of these qemu patches:


Whenever qemu receives a signal it reports PID that sent it. However,
this doesn't help anything really - processes come and go, PIDs change.
I recall debugging some issue where qemu was dying and all I could see
was PID. I was quite certain that the signal was not sent by libvirtd.
The only way to prove it was to have those two patches in so that qemu
can now report process name among with the PID.

>  examples/apparmor/libvirt-qemu | 1 +
>  1 file changed, 1 insertion(+)
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 73bdbae87..3d9eed9ec 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -25,6 +25,7 @@
>    /dev/ptmx rw,
>    /dev/kqemu rw,
>    @{PROC}/*/status r,
> +  @{PROC}/@{pid}/cmdline r,
>    # Per man(5) proc, the kernel enforces that a thread may
>    # only modify its comm value or those in its thread group.
>    owner @{PROC}/@{pid}/task/@{tid}/comm rw,

ACK and safe for the freeze.


More information about the libvir-list mailing list