[apparmor] aa-unconfined man page vs behavior?
Steve Beattie
steve at nxnw.org
Fri Dec 30 07:33:57 UTC 2016
While editing the man page for aa-unconfined in this patch set, I
noticed that it's uh pretty inaccurate at describing the behavior
of aa-unconfined. It described listing processes without apparmor
policies applied, whereas the tool reports processes with and without
policies applied.
The question is, which way is the preferred way to fix this? Change
the documentation to accurately reflect the tool's behavior, or adjust
the tool to more closely reflect the documentation?
For reference, here's the man page, after applying the first patch in
the series:
A-UNCONFINED(8) AppArmor AA-UNCONFINED(8)
NAME
aa-unconfined - output a list of processes with tcp or udp
ports that do not have AppArmor profiles loaded
SYNOPSIS
aa-unconfined [--paranoid] [--with-ss | --with-netstat]
OPTIONS
--paranoid
Displays all processes from /proc filesystem with tcp or
udp ports that do not have AppArmor profiles loaded.
--with-ss
Use the ss(8) command to find processes listening on
network sockets (the default).
--with-netstat
Use the netstat(8) command to find processes listening on
network sockets. This is also what aa-unconfined will
fall back to when ss(8) is not available.
DESCRIPTION
aa-unconfined will use netstat(8) to determine which
processes have open network sockets and do not have AppArmor
profiles loaded into the kernel.
BUGS
aa-unconfined must be run as root to retrieve the process
executable link from the /proc filesystem. This program is
susceptible to race conditions of several flavours: an
unlinked executable will be mishandled; an executable started
before an AppArmor profile is loaded will not appear in the
output, despite running without confinement; a process that
dies between the netstat(8) and further checks will be
mishandled. This program only lists processes using TCP and
UDP. In short, this program is unsuitable for forensics use
and is provided only as an aid to profiling all network-
accessible processes in the lab.
If you find any bugs, please report them at
<https://bugs.launchpad.net/apparmor/+filebug>.
SEE ALSO
ss(8), netstat(8), apparmor(7), apparmor.d(5),
aa_change_hat(2), and <http://wiki.apparmor.net>.
AppArmor 2.10.95 2016-12-30 AA-UNCONFINED(8)
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161229/da5ad642/attachment-0001.pgp>
More information about the AppArmor
mailing list