[apparmor] aa-unconfined man page vs behavior?

Steve Beattie steve at nxnw.org
Fri Dec 30 18:41:40 UTC 2016

On Fri, Dec 30, 2016 at 12:25:15AM -0800, John Johansen wrote:
> On 12/29/2016 11:33 PM, Steve Beattie wrote:
> > While editing the man page for aa-unconfined in this patch set, I
> > noticed that it's uh pretty inaccurate at describing the behavior
> > of aa-unconfined. It described listing processes without apparmor
> > policies applied, whereas the tool reports processes with and without
> > policies applied.
> > 
> > The question is, which way is the preferred way to fix this? Change
> > the documentation to accurately reflect the tool's behavior, or adjust
> > the tool to more closely reflect the documentation?
> > 
> Well I think the name is really pushing in the direction of only
> unconfined.
> Note that it does only report unconfined processes without --paranoid
> but with --paranoid it reports both confined and unconfined.

That's not the behavior I see...

(tip of trunk, without patchset applied)

Ubuntu 16.04 LTS:

$ sudo ./aa-unconfined
1300 /sbin/rpcbind not confined
1455 /usr/sbin/NetworkManager not confined
1480 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
1664 /usr/sbin/dnsmasq confined by '/usr/sbin/dnsmasq (enforce)'
1711 /usr/sbin/sshd not confined
2153 /usr/sbin/openvpn not confined
3019 /usr/sbin/xinetd not confined
3130 /usr/sbin/tcsd not confined
3437 /usr/lib/postfix/sbin/master confined by 'postfix-master (enforce)'
3933 /usr/bin/ssh not confined
22072 /home/steam/.steam/ubuntu12_32/steam not confined
26822 /usr/sbin/cups-browsed confined by '/usr/sbin/cups-browsed (enforce)

and Ubuntu 14.04 LTS:

$ sudo ./aa-unconfined
1091 /sbin/rpcbind not confined
1196 /sbin/rpc.statd not confined
1965 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (enforce)'
2014 /usr/bin/perl (/usr/bin/perl -wT /usr/sbin/munin-node) not confined
2113 /usr/sbin/xinetd not confined
2155 /usr/sbin/sshd not confined
2218 /usr/sbin/cups-browsed confined by '/usr/sbin/cups-browsed (enforce)'
2324 /usr/sbin/dnsmasq confined by '/usr/sbin/dnsmasq (enforce)'
2950 /usr/sbin/ntpd confined by '/usr/sbin/ntpd (enforce)'
3094 /usr/sbin/rpc.mountd not confined
3268 /usr/lib/postfix/master not confined
4183 /usr/bin/mpd not confined
4296 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)'
8540 /usr/bin/Xvnc4 not confined
13728 /usr/sbin/sshd (sshd: user at pts/4) not confined
28374 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (enforce)'

Also, --paranoid reports all processes, not just ones with network

> If we want the other behavior we can add a new tool aa-confined, or
> aa-netstat, ..? or some such

aa-status? :)

But I like the current behavior, both from a "it's comforting to see
what I do have confined" perspective as well as a potential fear of
asking myself "is the tool reporting nothing because I have everything
listening on a network socket confined, or because aa-unconfined is
buggy?" if we make the behavior consistent with the documentation.

That said, I'm mildly inclined to make it match the documentation (and
maybe provide an option to get the old behavior back), but I also fear
breaking things for people who might have scripts that parse the output
of aa-unconfined.

Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161230/28bfaca0/attachment-0001.pgp>

More information about the AppArmor mailing list