[pkg-apparmor] [apparmor] Fwd: Re: aa-unconfined shows tor as being unconfined, aa-status says different
Christian Boltz
apparmor-debian at cboltz.de
Mon Feb 2 19:11:54 UTC 2015
Hello,
Am Montag, 2. Februar 2015 schrieb John Johansen:
> On 02/02/2015 07:51 AM, Christian Boltz wrote:
> > Does it work if you change aa-unconfined line 66? Untested
> > pseudo-patch:
> > - if line.startswith("/") or line.startswith("null"):
> > + if line.strip() != "unconfined":
> hrmmm, the null check is interesting. The only place you should hit
> that is in learning mode when there is no profile associated, which
Right.
> from a confinement pov is unconfined
I'd say it's complain mode (with a strange[tm] profile mode, but still
complain mode).
The old code included null* profiles - but it excluded profile names not
starting with /
> so I would probably keep that
> if line.strip() != "unconfined" or line.startswith("null"):
Hint: a line that starts with "null" will always be != 'unconfined', so
the additional check doesn't change anything ;-)
> of course that won't work for namespaced stuff but no one is using
> that yet.
That's another can of worms ;-)
Regards,
Christian Boltz
--
"If you spend more on coffee than on IT security,
then you will be hacked. [Richard A. Clarke / 2002]
More information about the pkg-apparmor-team
mailing list