[apparmor] aa-unconfined man page vs behavior?

Steve Beattie steve at nxnw.org
Fri Dec 30 07:33:57 UTC 2016

While editing the man page for aa-unconfined in this patch set, I
noticed that it's uh pretty inaccurate at describing the behavior
of aa-unconfined. It described listing processes without apparmor
policies applied, whereas the tool reports processes with and without
policies applied.

The question is, which way is the preferred way to fix this? Change
the documentation to accurately reflect the tool's behavior, or adjust
the tool to more closely reflect the documentation?

For reference, here's the man page, after applying the first patch in
the series:

A-UNCONFINED(8)              AppArmor              AA-UNCONFINED(8)

       aa-unconfined - output a list of processes with tcp or udp
       ports that do not have AppArmor profiles loaded

       aa-unconfined [--paranoid] [--with-ss | --with-netstat]

           Displays all processes from /proc filesystem with tcp or
           udp ports that do not have AppArmor profiles loaded.

           Use the ss(8) command to find processes listening on
           network sockets (the default).

           Use the netstat(8) command to find processes listening on
           network sockets. This is also what aa-unconfined will
           fall back to when ss(8) is not available.

       aa-unconfined will use netstat(8) to determine which
       processes have open network sockets and do not have AppArmor
       profiles loaded into the kernel.

       aa-unconfined must be run as root to retrieve the process
       executable link from the /proc filesystem. This program is
       susceptible to race conditions of several flavours: an
       unlinked executable will be mishandled; an executable started
       before an AppArmor profile is loaded will not appear in the
       output, despite running without confinement; a process that
       dies between the netstat(8) and further checks will be
       mishandled. This program only lists processes using TCP and
       UDP. In short, this program is unsuitable for forensics use
       and is provided only as an aid to profiling all network-
       accessible processes in the lab.

       If you find any bugs, please report them at

       ss(8), netstat(8), apparmor(7), apparmor.d(5),
       aa_change_hat(2), and <http://wiki.apparmor.net>.

AppArmor 2.10.95             2016-12-30             AA-UNCONFINED(8)

Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161229/da5ad642/attachment-0001.pgp>

More information about the AppArmor mailing list