[pkg-apparmor] Fwd: Re: aa-unconfined shows tor as being unconfined, aa-status says different
u
u at 451f.org
Mon Feb 2 16:14:17 UTC 2015
Hi,
Steve Beattie:
> On Mon, Feb 02, 2015 at 10:22:27AM +0000, u wrote:
>> `aa-unconfined` seems to ignore this, but `aa-status` tells me that the
>> `system_tor` profile is well active.
>
> This is a bug in aa-unconfined. It's not been updated to take into
> account the possibility of profile names that are not path based
> (i.e. begins with '/'); specifically, the aa-unconfined code contains:
>
> with aa.open_file_read("/proc/%s/attr/current"%pid) as current:
> for line in current:
> if line.startswith("/") or line.startswith("null"):
> attr = line.strip()
>
>> Do I need to worry about the tor process not being confined?
>
> In this case, it does not appear that you do. To confirm, you'll want
> to ensure that the tor process(es) is showing up in the 'XX processes
> are in enforce mode.' in the output of aa-status.
>
> More generally, for debugging purposes, to identify what apparmor
> profile the kernel has applied to a given process, find the pid of
> the process that you're interested in and then examine the contents
> of /proc/PID/attr/current (replacing PID with the pid you identified
> earlier). If it contains 'unconfined', then there is no apparmor
> policy applied. Otherwise, it should contain the name of the profile
> ('system_tor' in the case of tor).
Thanks! I've added this info to the Debian wiki [1]
Ulrike
[1] https://wiki.debian.org/AppArmor/Debug
More information about the pkg-apparmor-team
mailing list