Leverage AppArmor's in-kernel solution for determining executable paths.
Using /proc/pid/cmdline is not secure since it can be trivially set with, for instance: exec -a "pwned" sh -c 'cat /proc/$$/cmdline' The /proc/pid/exe symlink is not good enough for scripts (since it will point to the interpreter, not the script) so let's instead use AppArmor's in-kernel solution for determining executable paths. We fallback to /proc/pid/exe for unconfined processes, which leaves us with only unconfined scripts not being supported by tor-controlport-filter. However, profiles in complain mode is still good enough, so a trivial stub profile in complain mode is enough, which is exactly what we do for onionshare and onioncircuits.
Showing with 61 additions and 10 deletions