[pkg-apparmor] Fwd: Re: aa-unconfined shows tor as being unconfined, aa-status says different

u u at 451f.org
Mon Feb 2 16:14:17 UTC 2015


Hi,

Steve Beattie:
> On Mon, Feb 02, 2015 at 10:22:27AM +0000, u wrote:

>> `aa-unconfined` seems to ignore this, but `aa-status` tells me that the
>> `system_tor` profile is well active.
> 
> This is a bug in aa-unconfined. It's not been updated to take into
> account the possibility of profile names that are not path based
> (i.e. begins with '/'); specifically, the aa-unconfined code contains:
> 
>         with aa.open_file_read("/proc/%s/attr/current"%pid) as current:
>             for line in current:
>                 if line.startswith("/") or line.startswith("null"):
>                     attr = line.strip()
> 
>> Do I need to worry about the tor process not being confined?
> 
> In this case, it does not appear that you do. To confirm, you'll want
> to ensure that the tor process(es) is showing up in the 'XX processes
> are in enforce mode.' in the output of aa-status.
> 
> More generally, for debugging purposes, to identify what apparmor
> profile the kernel has applied to a given process, find the pid of
> the process that you're interested in and then examine the contents
> of /proc/PID/attr/current (replacing PID with the pid you identified
> earlier). If it contains 'unconfined', then there is no apparmor
> policy applied. Otherwise, it should contain the name of the profile
> ('system_tor' in the case of tor).

Thanks! I've added this info to the Debian wiki [1]

Ulrike

[1] https://wiki.debian.org/AppArmor/Debug



More information about the pkg-apparmor-team mailing list