[apparmor] [pkg-apparmor] Fwd: Re: aa-unconfined shows tor as being unconfined, aa-status says different

[Christian Boltz]

Hello,

Am Montag, 2. Februar 2015 schrieb u:
> Christian Boltz:
> > Am Montag, 2. Februar 2015 schrieb u:
> >> While playing around with `aa-unconfined` i saw that /usr/bin/tor
> >> is
> >> marked as not being confined.
> > 
> > Does it work if you change aa-unconfined line 66? Untested
> > pseudo-patch: -                if line.startswith("/") or
> > line.startswith("null"):
> > +               if line.strip() != "unconfined":
> Actually, yes!
> If I use your line, i get:
> 
> 1609 /usr/bin/tor confined by 'system_tor (enforce)'
> 
> instead of
> 
> 1609 /usr/bin/tor not confined

Thanks for testing!

Some IRC discussion brought up that it's probably better to check for
' (complain)' and ' (enforce)', so here's the patch:


Fix aa-unconfined to work with profile names that don't start with / or null

I propose this patch for 2.9 and trunk.


[ aa-unconfined--named-profiles.diff ]

=== modified file 'utils/aa-unconfined'
--- utils/aa-unconfined 2014-09-14 18:17:00 +0000
+++ utils/aa-unconfined 2015-02-02 18:50:07 +0000
@@ -63,8 +63,9 @@
     if os.path.exists("/proc/%s/attr/current"%pid):
         with aa.open_file_read("/proc/%s/attr/current"%pid) as current:
             for line in current:
-                if line.startswith("/") or line.startswith("null"):
-                    attr = line.strip()
+                line = line.strip()
+                if line.endswith(' (complain)', 1) or line.endswith(' (enforce)', 1): # enforce at least one char as profile name
+                    attr = line
 
     cmdline = apparmor.common.cmd(["cat", "/proc/%s/cmdline"%pid])[1]
     pname = cmdline.split("\0")[0]



Regards,

Christian Boltz
-- 
[Antiviren-Software]   D i e   b r a u c h e n    a  l  l  e
Nicht nur aus Gründen der Sicherheit vor Betrügern,
sondern insbesondere als Schutz vor Bankern und Juristen.
[Ernst Scott in opensuse-de]