[pkg-apparmor] [apparmor] Fwd: Re: aa-unconfined shows tor as being unconfined, aa-status says different
John Johansen
john.johansen at canonical.com
Mon Feb 2 17:49:29 UTC 2015
On 02/02/2015 07:51 AM, Christian Boltz wrote:
> Hello,
>
> Am Montag, 2. Februar 2015 schrieb u:
>> While playing around with `aa-unconfined` i saw that /usr/bin/tor is
>> marked as not being confined.
>>
>> In Debian, `tor` comes with an apparmor profile which is called
>> "system_tor" and lives in /etc/apparmor.d.
>>
>> `aa-unconfined` seems to ignore this, but `aa-status` tells me that
>> the `system_tor` profile is well active.
>>
>> Do I need to worry about the tor process not being confined?
>
> If in doubt, cat /proc/$tor_pid/attr/current
>
>> Asked differently, do profiles need to be named a certain way (eg.
>> `usr/bin/something`) to be taken into account by `aa-unconfined`?
>>
>> How do other distributions handle this particular profile?
>>
>> As intrigeri says [1], one of these tools might be buggy.
>
> I'd guess this is a bug in aa-unconfined - it only checks for profile
> names starting with / or null:
>
> if os.path.exists("/proc/%s/attr/current"%pid):
> with aa.open_file_read("/proc/%s/attr/current"%pid) as current:
> for line in current:
> if line.startswith("/") or line.startswith("null"):
> attr = line.strip()
>
> Does it work if you change aa-unconfined line 66? Untested pseudo-patch:
> - if line.startswith("/") or line.startswith("null"):
> + if line.strip() != "unconfined":
>
hrmmm, the null check is interesting. The only place you should hit that
is in learning mode when there is no profile associated, which from a
confinement pov is unconfined so I would probably keep that
if line.strip() != "unconfined" or line.startswith("null"):
of course that won't work for namespaced stuff but no one is using that
yet.
More information about the pkg-apparmor-team
mailing list