[pkg-apparmor] Fwd: Re: aa-unconfined shows tor as being unconfined, aa-status says different
Steve Beattie
steve at nxnw.org
Tue Feb 3 03:16:10 UTC 2015
On Mon, Feb 02, 2015 at 07:58:58PM +0100, Christian Boltz wrote:
> Some IRC discussion brought up that it's probably better to check for
> ' (complain)' and ' (enforce)', so here's the patch:
>
>
> Fix aa-unconfined to work with profile names that don't start with / or null
>
> I propose this patch for 2.9 and trunk.
I know you already committed this patch, and I think it's an okay
solution for 2.9 (i.e. keeping to a minimal change to reduce the
possibilities of regressions), but for trunk, I'd really rather see
both aa-unconfined and aa-status unify on a helper function, so that
they use the same definition of confinement.
> === modified file 'utils/aa-unconfined'
> --- utils/aa-unconfined 2014-09-14 18:17:00 +0000
> +++ utils/aa-unconfined 2015-02-02 18:50:07 +0000
> @@ -63,8 +63,9 @@
> if os.path.exists("/proc/%s/attr/current"%pid):
> with aa.open_file_read("/proc/%s/attr/current"%pid) as current:
> for line in current:
> - if line.startswith("/") or line.startswith("null"):
> - attr = line.strip()
> + line = line.strip()
> + if line.endswith(' (complain)', 1) or line.endswith(' (enforce)', 1): # enforce at least one char as profile name
> + attr = line
>
> cmdline = apparmor.common.cmd(["cat", "/proc/%s/cmdline"%pid])[1]
> pname = cmdline.split("\0")[0]
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20150202/d7fbccdb/attachment.sig>
More information about the pkg-apparmor-team
mailing list