[pkg-apparmor] [apparmor] Fwd: Re: aa-unconfined shows tor as being unconfined, aa-status says different
John Johansen
john.johansen at canonical.com
Mon Feb 2 19:27:57 UTC 2015
On 02/02/2015 10:58 AM, Christian Boltz wrote:
> Hello,
>
> Am Montag, 2. Februar 2015 schrieb u:
>> Christian Boltz:
>>> Am Montag, 2. Februar 2015 schrieb u:
>>>> While playing around with `aa-unconfined` i saw that /usr/bin/tor
>>>> is
>>>> marked as not being confined.
>>>
>>> Does it work if you change aa-unconfined line 66? Untested
>>> pseudo-patch: - if line.startswith("/") or
>>> line.startswith("null"):
>>> + if line.strip() != "unconfined":
>> Actually, yes!
>> If I use your line, i get:
>>
>> 1609 /usr/bin/tor confined by 'system_tor (enforce)'
>>
>> instead of
>>
>> 1609 /usr/bin/tor not confined
>
> Thanks for testing!
>
> Some IRC discussion brought up that it's probably better to check for
> ' (complain)' and ' (enforce)', so here's the patch:
>
>
> Fix aa-unconfined to work with profile names that don't start with / or null
>
> I propose this patch for 2.9 and trunk.
>
>
> [ aa-unconfined--named-profiles.diff ]
>
> === modified file 'utils/aa-unconfined'
> --- utils/aa-unconfined 2014-09-14 18:17:00 +0000
> +++ utils/aa-unconfined 2015-02-02 18:50:07 +0000
> @@ -63,8 +63,9 @@
> if os.path.exists("/proc/%s/attr/current"%pid):
> with aa.open_file_read("/proc/%s/attr/current"%pid) as current:
> for line in current:
> - if line.startswith("/") or line.startswith("null"):
> - attr = line.strip()
> + line = line.strip()
> + if line.endswith(' (complain)', 1) or line.endswith(' (enforce)', 1): # enforce at least one char as profile name
> + attr = line
>
> cmdline = apparmor.common.cmd(["cat", "/proc/%s/cmdline"%pid])[1]
> pname = cmdline.split("\0")[0]
>
>
>
This wfm,
Acked-by: John Johansen <john.johansen at canonical.com>
More information about the pkg-apparmor-team
mailing list