Bug 1369281

Summary: security: apparmor denies qemu.conf set_process_name
Product: [Community] Virtualization Tools Reporter: zssqcaim
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: crobinso, intrigeri, libvirt-maint, rbalakri
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-12 14:32:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description zssqcaim 2016-08-23 01:28:24 UTC 
Description of problem:
current apparmor profile denies qemu to change task names

Version-Release number of selected component (if applicable):
at least: 1.3.5; 2.0.0

How reproducible:
always

Steps to Reproduce:
1. use apparmor security driver
2. run virtual machine

Actual results:
noise in syslog (apparmor audit)
example
apparmor="DENIED" operation="open" profile="libvirt-cdf35917-3cf6-46ec-b41b-e906add9259f" name="/proc/3024/task/9431/comm" pid=3024 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw"

Expected results:
--

Additional info:
fix: add rule to the profile /etc/apparmor.d/abstractions/libvirt-qemu
  @{PROC}/@{pid}/task/*/comm rw,
Comment 1 Cole Robinson 2016-09-08 14:05:32 UTC 
I assume this is via the qemu.conf set_process_name option?

FWIW the libvirt apparmor maintainers don't really follow this bug tracker, might be better to try libvir-list or file a distro bug. Or if you want to take a stab at fixing it, look at ./src/security/virt-aa-helper.c in libvirt.git
Comment 2 intrigeri 2016-12-05 11:26:13 UTC 
Patch sent to https://www.redhat.com/archives/libvir-list/2016-December/msg00106.html
Comment 3 Cole Robinson 2016-12-12 14:32:52 UTC 
Patch is upstream now, thanks!

commit a73e7037e5a5f7af94216e2147c6ef675b2323f6
Author: intrigeri <intrigeri+libvirt>
Date:   Mon Dec 12 10:59:32 2016 +0000

    AppArmor: allow QEMU to set_process_name.