[apparmor] [pkg-apparmor] Fwd: Re: aa-unconfined shows tor as being unconfined, aa-status says different

Mon Feb 2 19:27:57 UTC 2015

On 02/02/2015 10:58 AM, Christian Boltz wrote:
> Hello,
> 
> Am Montag, 2. Februar 2015 schrieb u:
>> Christian Boltz:
>>> Am Montag, 2. Februar 2015 schrieb u:
>>>> While playing around with `aa-unconfined` i saw that /usr/bin/tor
>>>> is
>>>> marked as not being confined.
>>>
>>> Does it work if you change aa-unconfined line 66? Untested
>>> pseudo-patch: -                if line.startswith("/") or
>>> line.startswith("null"):
>>> +               if line.strip() != "unconfined":
>> Actually, yes!
>> If I use your line, i get:
>>
>> 1609 /usr/bin/tor confined by 'system_tor (enforce)'
>>
>> instead of
>>
>> 1609 /usr/bin/tor not confined
> 
> Thanks for testing!
> 
> Some IRC discussion brought up that it's probably better to check for
> ' (complain)' and ' (enforce)', so here's the patch:
> 
> 
> Fix aa-unconfined to work with profile names that don't start with / or null
> 
> I propose this patch for 2.9 and trunk.
> 
> 
> [ aa-unconfined--named-profiles.diff ]
> 
> === modified file 'utils/aa-unconfined'
> --- utils/aa-unconfined 2014-09-14 18:17:00 +0000
> +++ utils/aa-unconfined 2015-02-02 18:50:07 +0000
> @@ -63,8 +63,9 @@
>      if os.path.exists("/proc/%s/attr/current"%pid):
>          with aa.open_file_read("/proc/%s/attr/current"%pid) as current:
>              for line in current:
> -                if line.startswith("/") or line.startswith("null"):
> -                    attr = line.strip()
> +                line = line.strip()
> +                if line.endswith(' (complain)', 1) or line.endswith(' (enforce)', 1): # enforce at least one char as profile name
> +                    attr = line
>  
>      cmdline = apparmor.common.cmd(["cat", "/proc/%s/cmdline"%pid])[1]
>      pname = cmdline.split("\0")[0]
> 
> 
> 
This wfm,

Acked-by: John Johansen <john.johansen at canonical.com>