Hello, Am Montag, 2. Februar 2015 schrieb u: > Christian Boltz: > > Am Montag, 2. Februar 2015 schrieb u: > >> While playing around with `aa-unconfined` i saw that /usr/bin/tor > >> is > >> marked as not being confined. > > > > Does it work if you change aa-unconfined line 66? Untested > > pseudo-patch: - if line.startswith("/") or > > line.startswith("null"): > > + if line.strip() != "unconfined": > Actually, yes! > If I use your line, i get: > > 1609 /usr/bin/tor confined by 'system_tor (enforce)' > > instead of > > 1609 /usr/bin/tor not confined
Thanks for testing! Some IRC discussion brought up that it's probably better to check for ' (complain)' and ' (enforce)', so here's the patch: Fix aa-unconfined to work with profile names that don't start with / or null I propose this patch for 2.9 and trunk. [ aa-unconfined--named-profiles.diff ] === modified file 'utils/aa-unconfined' --- utils/aa-unconfined 2014-09-14 18:17:00 +0000 +++ utils/aa-unconfined 2015-02-02 18:50:07 +0000 @@ -63,8 +63,9 @@ if os.path.exists("/proc/%s/attr/current"%pid): with aa.open_file_read("/proc/%s/attr/current"%pid) as current: for line in current: - if line.startswith("/") or line.startswith("null"): - attr = line.strip() + line = line.strip() + if line.endswith(' (complain)', 1) or line.endswith(' (enforce)', 1): # enforce at least one char as profile name + attr = line cmdline = apparmor.common.cmd(["cat", "/proc/%s/cmdline"%pid])[1] pname = cmdline.split("\0")[0] Regards, Christian Boltz -- [Antiviren-Software] D i e b r a u c h e n a l l e Nicht nur aus GrĂ¼nden der Sicherheit vor BetrĂ¼gern, sondern insbesondere als Schutz vor Bankern und Juristen. [Ernst Scott in opensuse-de] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor