[pkg-apparmor] Fwd: Re: aa-unconfined shows tor as being unconfined, aa-status says different
Christian Boltz
apparmor-debian at cboltz.de
Mon Feb 2 15:51:14 UTC 2015
Hello,
Am Montag, 2. Februar 2015 schrieb u:
> While playing around with `aa-unconfined` i saw that /usr/bin/tor is
> marked as not being confined.
>
> In Debian, `tor` comes with an apparmor profile which is called
> "system_tor" and lives in /etc/apparmor.d.
>
> `aa-unconfined` seems to ignore this, but `aa-status` tells me that
> the `system_tor` profile is well active.
>
> Do I need to worry about the tor process not being confined?
If in doubt, cat /proc/$tor_pid/attr/current
> Asked differently, do profiles need to be named a certain way (eg.
> `usr/bin/something`) to be taken into account by `aa-unconfined`?
>
> How do other distributions handle this particular profile?
>
> As intrigeri says [1], one of these tools might be buggy.
I'd guess this is a bug in aa-unconfined - it only checks for profile
names starting with / or null:
if os.path.exists("/proc/%s/attr/current"%pid):
with aa.open_file_read("/proc/%s/attr/current"%pid) as current:
for line in current:
if line.startswith("/") or line.startswith("null"):
attr = line.strip()
Does it work if you change aa-unconfined line 66? Untested pseudo-patch:
- if line.startswith("/") or line.startswith("null"):
+ if line.strip() != "unconfined":
Regards,
Christian Boltz
--
Was habt Ihr denn? emacs ist doch ein tolles Betriebssystem!
Das einzige was ihm fehlt, ist ein vernünftiger Editor (vim?)
[Jan Trippler in suse-linux]
More information about the pkg-apparmor-team
mailing list