Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-19 Thread Daniel P. Berrange
On Sat, Dec 17, 2016 at 03:54:29PM +0100, intrigeri wrote: > Hi, > > Daniel P. Berrange: > > On Mon, Dec 12, 2016 at 04:04:34PM +0100, Martin Kletzander wrote: > >> Didn't we have a policy of using real names in commit messages? I > >> remember someone advocating that (Eric?), so I did that as we

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-17 Thread intrigeri
Hi, Daniel P. Berrange: > On Mon, Dec 12, 2016 at 04:04:34PM +0100, Martin Kletzander wrote: >> Didn't we have a policy of using real names in commit messages? I >> remember someone advocating that (Eric?), so I did that as well. But to >> be honest, I can't find it anywhere in our docs, but it

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-13 Thread Daniel P. Berrange
On Mon, Dec 12, 2016 at 04:04:34PM +0100, Martin Kletzander wrote: > On Mon, Dec 12, 2016 at 02:09:52PM +, Daniel P. Berrange wrote: > > On Mon, Dec 12, 2016 at 02:53:02PM +0100, Christian Ehrhardt wrote: > > > Acked-by: Christian Ehrhardt > > > > > > That (just FYI) is also equivalent to > >

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-12 Thread Martin Kletzander
On Mon, Dec 12, 2016 at 02:09:52PM +, Daniel P. Berrange wrote: On Mon, Dec 12, 2016 at 02:53:02PM +0100, Christian Ehrhardt wrote: Acked-by: Christian Ehrhardt That (just FYI) is also equivalent to https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1615550 On Mon, Dec 12, 2016 at 11:

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-12 Thread Daniel P. Berrange
On Mon, Dec 12, 2016 at 02:53:02PM +0100, Christian Ehrhardt wrote: > Acked-by: Christian Ehrhardt > > That (just FYI) is also equivalent to > https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1615550 > > On Mon, Dec 12, 2016 at 11:59 AM, intrigeri > wrote: > > > https://bugzilla.redhat.c

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-12 Thread Christian Ehrhardt
Acked-by: Christian Ehrhardt That (just FYI) is also equivalent to https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1615550 On Mon, Dec 12, 2016 at 11:59 AM, intrigeri wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1369281 > --- > examples/apparmor/libvirt-qemu | 3 +++ > 1 file c

[libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-12 Thread intrigeri
https://bugzilla.redhat.com/show_bug.cgi?id=1369281 --- examples/apparmor/libvirt-qemu | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 11381d4df0..fdb5a23291 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/appa

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-07 Thread Jamie Strandboge
On Wed, 2016-12-07 at 08:37 +0100, Christian Ehrhardt wrote: > On Tue, Dec 6, 2016 at 5:40 PM, Jamie Strandboge > wrote: > > > > > I forgot to reiterate: the above is true *unless* there is another > > non-DAC, non- > > MAC kernel mediation (eg, does the kernel only allow modifying the 'comm' >

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-06 Thread Christian Ehrhardt
On Tue, Dec 6, 2016 at 5:40 PM, Jamie Strandboge wrote: > I forgot to reiterate: the above is true *unless* there is another > non-DAC, non- > MAC kernel mediation (eg, does the kernel only allow modifying the 'comm' > value > of its own threads? If so, then the rule would be safe to add to the >

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-06 Thread Jamie Strandboge
On Tue, 2016-12-06 at 10:17 -0600, Jamie Strandboge wrote: > On Mon, 2016-12-05 at 17:30 +0100, Christian Ehrhardt wrote: > > > > On Mon, Dec 5, 2016 at 12:21 PM, intrigeri > > wrote: > > > > > > > > > > > +  @{PROC}/@{pid}/task/@{tid}/comm rw, > > > > > Hi, > > we have used the following for

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-06 Thread Jamie Strandboge
On Mon, 2016-12-05 at 17:30 +0100, Christian Ehrhardt wrote: > On Mon, Dec 5, 2016 at 12:21 PM, intrigeri > wrote: > > > > > +  @{PROC}/@{pid}/task/@{tid}/comm rw, > > > > Hi, > we have used the following for now that we planned to submit soon: > owner @{PROC}/@{pid}/task/[0-9]*/comm rw > > B

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-06 Thread intrigeri
Jamie Strandboge: > This rule would allow any confined guest to change the 'comm' value of any > task > on the system, if the system otherwise allowed it. Right. Fixed with the 'owner' prefix in my v2 patch, as suggested by Christian. Cheers, -- intrigeri -- libvir-list mailing list libvir-lis

[libvirt] [PATCH] AppArmor: allow QEMU to set_process_name. (v2)

2016-12-06 Thread intrigeri
https://bugzilla.redhat.com/show_bug.cgi?id=1369281 --- examples/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 11381d4df0..10d2ac958c 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmo

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-05 Thread Jamie Strandboge
On Mon, 2016-12-05 at 11:21 +, intrigeri wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1369281 > --- >  examples/apparmor/libvirt-qemu | 1 + >  1 file changed, 1 insertion(+) > > diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu > index 11381d4df0..a07291d583

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-05 Thread Christian Ehrhardt
On Mon, Dec 5, 2016 at 12:21 PM, intrigeri wrote: > + @{PROC}/@{pid}/task/@{tid}/comm rw, > Hi, we have used the following for now that we planned to submit soon: owner @{PROC}/@{pid}/task/[0-9]*/comm rw But I like yours more since you are adding the explicit TID instead of a pattern. I'm con

[libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

2016-12-05 Thread intrigeri
https://bugzilla.redhat.com/show_bug.cgi?id=1369281 --- examples/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 11381d4df0..a07291d583 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmo