On 02/02/2015 10:58 AM, Christian Boltz wrote: > Hello, > > Am Montag, 2. Februar 2015 schrieb u: >> Christian Boltz: >>> Am Montag, 2. Februar 2015 schrieb u: >>>> While playing around with `aa-unconfined` i saw that /usr/bin/tor >>>> is >>>> marked as not being confined. >>> >>> Does it work if you change aa-unconfined line 66? Untested >>> pseudo-patch: - if line.startswith("/") or >>> line.startswith("null"): >>> + if line.strip() != "unconfined": >> Actually, yes! >> If I use your line, i get: >> >> 1609 /usr/bin/tor confined by 'system_tor (enforce)' >> >> instead of >> >> 1609 /usr/bin/tor not confined > > Thanks for testing! > > Some IRC discussion brought up that it's probably better to check for > ' (complain)' and ' (enforce)', so here's the patch: > > > Fix aa-unconfined to work with profile names that don't start with / or null > > I propose this patch for 2.9 and trunk. > > > [ aa-unconfined--named-profiles.diff ] > > === modified file 'utils/aa-unconfined' > --- utils/aa-unconfined 2014-09-14 18:17:00 +0000 > +++ utils/aa-unconfined 2015-02-02 18:50:07 +0000 > @@ -63,8 +63,9 @@ > if os.path.exists("/proc/%s/attr/current"%pid): > with aa.open_file_read("/proc/%s/attr/current"%pid) as current: > for line in current: > - if line.startswith("/") or line.startswith("null"): > - attr = line.strip() > + line = line.strip() > + if line.endswith(' (complain)', 1) or line.endswith(' > (enforce)', 1): # enforce at least one char as profile name > + attr = line > > cmdline = apparmor.common.cmd(["cat", "/proc/%s/cmdline"%pid])[1] > pname = cmdline.split("\0")[0] > > > This wfm,
Acked-by: John Johansen <john.johan...@canonical.com> -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor