[apparmor] aa-unconfined man page vs behavior?

John Johansen john.johansen at canonical.com
Fri Dec 30 08:25:15 UTC 2016

On 12/29/2016 11:33 PM, Steve Beattie wrote:
> While editing the man page for aa-unconfined in this patch set, I
> noticed that it's uh pretty inaccurate at describing the behavior
> of aa-unconfined. It described listing processes without apparmor
> policies applied, whereas the tool reports processes with and without
> policies applied.
> The question is, which way is the preferred way to fix this? Change
> the documentation to accurately reflect the tool's behavior, or adjust
> the tool to more closely reflect the documentation?
Well I think the name is really pushing in the direction of only

Note that it does only report unconfined processes without --paranoid
but with --paranoid it reports both confined and unconfined.

If we want the other behavior we can add a new tool aa-confined, or
aa-netstat, ..? or some such

> For reference, here's the man page, after applying the first patch in
> the series:
> A-UNCONFINED(8)              AppArmor              AA-UNCONFINED(8)
>        aa-unconfined - output a list of processes with tcp or udp
>        ports that do not have AppArmor profiles loaded
>        aa-unconfined [--paranoid] [--with-ss | --with-netstat]
>        --paranoid
>            Displays all processes from /proc filesystem with tcp or
>            udp ports that do not have AppArmor profiles loaded.
>        --with-ss
>            Use the ss(8) command to find processes listening on
>            network sockets (the default).
>        --with-netstat
>            Use the netstat(8) command to find processes listening on
>            network sockets. This is also what aa-unconfined will
>            fall back to when ss(8) is not available.
>        aa-unconfined will use netstat(8) to determine which
>        processes have open network sockets and do not have AppArmor
>        profiles loaded into the kernel.
>        aa-unconfined must be run as root to retrieve the process
>        executable link from the /proc filesystem. This program is
>        susceptible to race conditions of several flavours: an
>        unlinked executable will be mishandled; an executable started
>        before an AppArmor profile is loaded will not appear in the
>        output, despite running without confinement; a process that
>        dies between the netstat(8) and further checks will be
>        mishandled. This program only lists processes using TCP and
>        UDP. In short, this program is unsuitable for forensics use
>        and is provided only as an aid to profiling all network-
>        accessible processes in the lab.
>        If you find any bugs, please report them at
>        <https://bugs.launchpad.net/apparmor/+filebug>.
>        ss(8), netstat(8), apparmor(7), apparmor.d(5),
>        aa_change_hat(2), and <http://wiki.apparmor.net>.
> AppArmor 2.10.95             2016-12-30             AA-UNCONFINED(8)

More information about the AppArmor mailing list