[apparmor] [pkg-apparmor] Fwd: Re: aa-unconfined shows tor as being unconfined, aa-status says different
Steve Beattie
steve at nxnw.org
Mon Feb 2 15:45:15 UTC 2015
On Mon, Feb 02, 2015 at 10:22:27AM +0000, u wrote:
> (Cc:ed Peter Palfrader (weasel), who maintains tor in Debian and the
> Debian AppArmor Packaging Team.)
>
> While playing around with `aa-unconfined` i saw that /usr/bin/tor is
> marked as not being confined.
>
> In Debian, `tor` comes with an apparmor profile which is called
> "system_tor" and
> lives in /etc/apparmor.d.
>
> `aa-unconfined` seems to ignore this, but `aa-status` tells me that the
> `system_tor` profile is well active.
This is a bug in aa-unconfined. It's not been updated to take into
account the possibility of profile names that are not path based
(i.e. begins with '/'); specifically, the aa-unconfined code contains:
with aa.open_file_read("/proc/%s/attr/current"%pid) as current:
for line in current:
if line.startswith("/") or line.startswith("null"):
attr = line.strip()
> Do I need to worry about the tor process not being confined?
In this case, it does not appear that you do. To confirm, you'll want
to ensure that the tor process(es) is showing up in the 'XX processes
are in enforce mode.' in the output of aa-status.
More generally, for debugging purposes, to identify what apparmor
profile the kernel has applied to a given process, find the pid of
the process that you're interested in and then examine the contents
of /proc/PID/attr/current (replacing PID with the pid you identified
earlier). If it contains 'unconfined', then there is no apparmor
policy applied. Otherwise, it should contain the name of the profile
('system_tor' in the case of tor).
Thanks!
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150202/2e1cc470/attachment.pgp>
More information about the AppArmor
mailing list