tor debian package installs apparmor profile ineffectively
The Tor package for Debian (0.2.3.25-1) installs an AppArmor profile in /etc/apparmor.d/system_tor . This is the correct filename under Ubuntu Upstart, but incorrect under Debian.
Under Debian, the file must be named /etc/apparmor.d/usr.sbin.tor , or alternatively usr.sbin.tor may be a symlink to system_tor .
The symptom of this bug is that the profile is loaded but not applied to the running binary:
dmesg | grep -i apparmor
[ 0.004000] AppArmor: AppArmor initialized [ 0.030864] AppArmor: AppArmor Filesystem Enabled [ 13.402898] type=1400 audit(1369748668.187:2): apparmor="STATUS" operation="profile_load" name="system_tor" pid=1448 comm="apparmor_parser"
ps auxwww | grep tor
102 1672 0.4 0.8 48484 17576 ? S 13:44 0:00 /usr/sbin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --hush
aa-status
AppArmor available in kernel. 1 profiles are loaded. 1 profiles are in enforce mode. system_tor 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. <<<<<<<< !!! 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.