Re: [libvirt] [PATCH] apparmor: allow qemu abstraction to read /proc/pid/cmdline

Mon, 04 Dec 2017 06:09:07 -0800 

On 12/04/2017 04:03 AM, Michal Privoznik wrote:

On 12/01/2017 02:26 PM, Jamie Strandboge wrote:

On Thu, 2017-11-30 at 10:43 -0700, Jim Fehlig wrote:

Noticed the following denial in audit.log when shutting down
an apparmor confined domain

type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
operation="open" profile="libvirt-66154842-e926-4f92-92f0-
1c1bf61dd1ff"
name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=469 ouid=0

Squelch the denial by allowing read access to /proc/<pid>/cmdline.

Signed-off-by: Jim Fehlig <jfeh...@suse.com>
---

Note: In the audit.log snippet, PID 1475 is libvirtd and 2958 is the
qemu process. I must admit it is not clear to me why
/proc/<libvirtd-pid>/cmdline is read on domain shutdown.

  examples/apparmor/libvirt-qemu | 1 +
  1 file changed, 1 insertion(+)

diff --git a/examples/apparmor/libvirt-qemu
b/examples/apparmor/libvirt-qemu
index 73bdbae87..3d9eed9ec 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -25,6 +25,7 @@
    /dev/ptmx rw,
    /dev/kqemu rw,
    @{PROC}/*/status r,
+  @{PROC}/@{pid}/cmdline r,


Note this is an information leak and allows reading potentially
sensitive information, such as passwords given on the command line. Eg:

$ cat /proc/13335/cmdline | tr '\0' ' '
sh /tmp/testme --password=sensitive


Well, I'd say that passing passwords (or any sensitive information)
through command line is doomed by definition. Anybody can read that
(doing mere ps is enough).



Would it be possible to use 'owner' match? Eg:

   owner @{PROC}/@{pid}/cmdline r,


Okay, this narrows the attack surface, but I guess that somebody else
doing `ps' on the system will be able to obtain the password anyway.


Prefixing the rule with 'owner' didn't work as noted earlier in the thread

https://www.redhat.com/archives/libvir-list/2017-December/msg00031.html
I've pushed the patch with the comment squashed in, albeit dangerously close to the release :-). 

Regards,
Jim

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to