[apparmor] aa-unconfined man page vs behavior?
John Johansen
john.johansen at canonical.com
Fri Dec 30 19:30:00 UTC 2016
On 12/30/2016 10:41 AM, Steve Beattie wrote:
> On Fri, Dec 30, 2016 at 12:25:15AM -0800, John Johansen wrote:
>> On 12/29/2016 11:33 PM, Steve Beattie wrote:
>>> While editing the man page for aa-unconfined in this patch set, I
>>> noticed that it's uh pretty inaccurate at describing the behavior
>>> of aa-unconfined. It described listing processes without apparmor
>>> policies applied, whereas the tool reports processes with and without
>>> policies applied.
>>>
>>> The question is, which way is the preferred way to fix this? Change
>>> the documentation to accurately reflect the tool's behavior, or adjust
>>> the tool to more closely reflect the documentation?
>>>
>> Well I think the name is really pushing in the direction of only
>> unconfined.
>>
>> Note that it does only report unconfined processes without --paranoid
>> but with --paranoid it reports both confined and unconfined.
>
> That's not the behavior I see...
>
> (tip of trunk, without patchset applied)
>
> Ubuntu 16.04 LTS:
>
> $ sudo ./aa-unconfined
> 1300 /sbin/rpcbind not confined
> 1455 /usr/sbin/NetworkManager not confined
> 1480 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
> 1664 /usr/sbin/dnsmasq confined by '/usr/sbin/dnsmasq (enforce)'
> 1711 /usr/sbin/sshd not confined
> 2153 /usr/sbin/openvpn not confined
> 3019 /usr/sbin/xinetd not confined
> 3130 /usr/sbin/tcsd not confined
> 3437 /usr/lib/postfix/sbin/master confined by 'postfix-master (enforce)'
> 3933 /usr/bin/ssh not confined
> 22072 /home/steam/.steam/ubuntu12_32/steam not confined
> 26822 /usr/sbin/cups-browsed confined by '/usr/sbin/cups-browsed (enforce)
>
> and Ubuntu 14.04 LTS:
>
> $ sudo ./aa-unconfined
> 1091 /sbin/rpcbind not confined
> 1196 /sbin/rpc.statd not confined
> 1965 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (enforce)'
> 2014 /usr/bin/perl (/usr/bin/perl -wT /usr/sbin/munin-node) not confined
> 2113 /usr/sbin/xinetd not confined
> 2155 /usr/sbin/sshd not confined
> 2218 /usr/sbin/cups-browsed confined by '/usr/sbin/cups-browsed (enforce)'
> 2324 /usr/sbin/dnsmasq confined by '/usr/sbin/dnsmasq (enforce)'
> 2950 /usr/sbin/ntpd confined by '/usr/sbin/ntpd (enforce)'
> 3094 /usr/sbin/rpc.mountd not confined
> 3268 /usr/lib/postfix/master not confined
> 4183 /usr/bin/mpd not confined
> 4296 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)'
> 8540 /usr/bin/Xvnc4 not confined
> 13728 /usr/sbin/sshd (sshd: user at pts/4) not confined
> 28374 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (enforce)'
>
weird, though I must admit I didn't test tip of trunk but what is in
16.10
> Also, --paranoid reports all processes, not just ones with network
> sockets.
>
sure, I was just noting I was seeing different behavior between them
>> If we want the other behavior we can add a new tool aa-confined, or
>> aa-netstat, ..? or some such
>
> aa-status? :)
>
nah, that is a different tool.
> But I like the current behavior, both from a "it's comforting to see
> what I do have confined" perspective as well as a potential fear of
> asking myself "is the tool reporting nothing because I have everything
> listening on a network socket confined, or because aa-unconfined is
> buggy?" if we make the behavior consistent with the documentation.
>
I'm fine with there being a switch
> That said, I'm mildly inclined to make it match the documentation (and
> maybe provide an option to get the old behavior back), but I also fear
> breaking things for people who might have scripts that parse the output
> of aa-unconfined.
>
well its pretty obvious that we are already inconsistent, we aren't even
seeing the same behavior
More information about the AppArmor
mailing list