Hello, Am Montag, 2. Februar 2015 schrieb u: > While playing around with `aa-unconfined` i saw that /usr/bin/tor is > marked as not being confined. > > In Debian, `tor` comes with an apparmor profile which is called > "system_tor" and lives in /etc/apparmor.d. > > `aa-unconfined` seems to ignore this, but `aa-status` tells me that > the `system_tor` profile is well active. > > Do I need to worry about the tor process not being confined?
If in doubt, cat /proc/$tor_pid/attr/current > Asked differently, do profiles need to be named a certain way (eg. > `usr/bin/something`) to be taken into account by `aa-unconfined`? > > How do other distributions handle this particular profile? > > As intrigeri says [1], one of these tools might be buggy. I'd guess this is a bug in aa-unconfined - it only checks for profile names starting with / or null: if os.path.exists("/proc/%s/attr/current"%pid): with aa.open_file_read("/proc/%s/attr/current"%pid) as current: for line in current: if line.startswith("/") or line.startswith("null"): attr = line.strip() Does it work if you change aa-unconfined line 66? Untested pseudo-patch: - if line.startswith("/") or line.startswith("null"): + if line.strip() != "unconfined": Regards, Christian Boltz -- Was habt Ihr denn? emacs ist doch ein tolles Betriebssystem! Das einzige was ihm fehlt, ist ein vernünftiger Editor (vim?) [Jan Trippler in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor