package: apparmor tags: patch upstream Hi,
On Montag, 2. Februar 2015, Christian Boltz wrote:
> Am Montag, 2. Februar 2015 schrieb u:
> > While playing around with `aa-unconfined` i saw that /usr/bin/tor is
> > marked as not being confined.
> >
> > In Debian, `tor` comes with an apparmor profile which is called
> > "system_tor" and lives in /etc/apparmor.d.
> >
> > `aa-unconfined` seems to ignore this, but `aa-status` tells me that
> > the `system_tor` profile is well active.
> >
> > Do I need to worry about the tor process not being confined?
>
> If in doubt, cat /proc/$tor_pid/attr/current
>
> > Asked differently, do profiles need to be named a certain way (eg.
> > `usr/bin/something`) to be taken into account by `aa-unconfined`?
> >
> > How do other distributions handle this particular profile?
> >
> > As intrigeri says [1], one of these tools might be buggy.
>
> I'd guess this is a bug in aa-unconfined - it only checks for profile
> names starting with / or null:
>
> if os.path.exists("/proc/%s/attr/current"%pid):
> with aa.open_file_read("/proc/%s/attr/current"%pid) as current:
> for line in current:
> if line.startswith("/") or line.startswith("null"):
> attr = line.strip()
>
> Does it work if you change aa-unconfined line 66? Untested pseudo-patch:
> - if line.startswith("/") or line.startswith("null"):
> + if line.strip() != "unconfined":
>
patch for 2.9 is in
http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/2015-February/000393.html
/ Message-ID: <1514278.utknflv...@tux.boltz.de.vu>
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
