[apparmor] [yast-devel] Upcoming changes in AppArmor aa-status output

John Johansen john.johansen at canonical.com
Wed Jun 10 14:40:50 UTC 2020 

On 5/4/20 1:08 AM, Stefan Hundhammer wrote:
> On 2020-04-30 13:22, Christian Boltz wrote:
>> Hello,
>>
>> AFAIK the YaST AppArmor module uses the JSON output of aa-status.
>>
>> There are two upcoming changes, and I'd like to point them out so that
>> you can adjust the YaST AppArmor module if needed.
> 
> This time PLEASE remember to also bump the JSON version number of that output. We had to do a pretty ugly hot fix for that last time, and it was just coincidence that this did not conflict with the previous version.
> 

the JSON version was bumped to 2

attached is an example output of aa-status, along with the corresponding pretty json and compressed json output using the new unconfined, kill, mixed, and prompt modes
-------------- next part --------------
apparmor module is loaded.
45 profiles are loaded.
40 profiles are in enforce mode.
   /snap/core/9289/usr/lib/snapd/snap-confine
   /snap/core/9289/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   :ns:foo
   firefox
   firefox//browser_java
   firefox//browser_openjdk
   firefox//lsb_release
   firefox//sanitized_helper
   ippusbxd
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.core
   snap-update-ns.snap-store
   snap.core.hook.configure
   snap.snap-store.snap-store
   snap.snap-store.ubuntu-software
   snap.snap-store.ubuntu-software-local-file
2 profiles are in complain mode.
   libreoffice-oopslash
   libreoffice-soffice
1 profiles are in kill mode.
   example
1 profiles are in unconfined mode.
   test
1 profiles are in prompt mode.
   interactive
8 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/cups-browsed (624) 
   /usr/sbin/cupsd (520) 
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
   /usr/bin/bash (1466) test
1 processes are in mixed mode.
   /usr/bin/cat (1502) interactive//&:ns:foo
1 processes are in kill mode.
   /usr/bin/cat (1474) example
3 processes are in prompt mode.
   /usr/bin/cat (1475) interactive
   /usr/bin/cat (1499) interactive//&:ns:unconfined
   /usr/bin/cat (1497) interactive//&unconfined
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aa-status.json
Type: application/json
Size: 2477 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20200610/502d59a6/attachment.json>
-------------- next part --------------
{
	"version":	"2",
	"profiles":	{
		"/snap/core/9289/usr/lib/snapd/snap-confine":	"enforce",
		"/snap/core/9289/usr/lib/snapd/snap-confine//mount-namespace-capture-helper":	"enforce",
		"/usr/bin/evince":	"enforce",
		"/usr/bin/evince-previewer":	"enforce",
		"/usr/bin/evince-previewer//sanitized_helper":	"enforce",
		"/usr/bin/evince-thumbnailer":	"enforce",
		"/usr/bin/evince//sanitized_helper":	"enforce",
		"/usr/bin/man":	"enforce",
		"/usr/lib/NetworkManager/nm-dhcp-client.action":	"enforce",
		"/usr/lib/NetworkManager/nm-dhcp-helper":	"enforce",
		"/usr/lib/connman/scripts/dhclient-script":	"enforce",
		"/usr/lib/cups/backend/cups-pdf":	"enforce",
		"/usr/lib/snapd/snap-confine":	"enforce",
		"/usr/lib/snapd/snap-confine//mount-namespace-capture-helper":	"enforce",
		"/usr/sbin/cups-browsed":	"enforce",
		"/usr/sbin/cupsd":	"enforce",
		"/usr/sbin/cupsd//third_party":	"enforce",
		"/usr/sbin/tcpdump":	"enforce",
		"/{,usr/}sbin/dhclient":	"enforce",
		":ns:foo":	"enforce",
		"firefox":	"enforce",
		"firefox//browser_java":	"enforce",
		"firefox//browser_openjdk":	"enforce",
		"firefox//lsb_release":	"enforce",
		"firefox//sanitized_helper":	"enforce",
		"ippusbxd":	"enforce",
		"libreoffice-senddoc":	"enforce",
		"libreoffice-soffice//gpg":	"enforce",
		"libreoffice-xpdfimport":	"enforce",
		"lsb_release":	"enforce",
		"man_filter":	"enforce",
		"man_groff":	"enforce",
		"nvidia_modprobe":	"enforce",
		"nvidia_modprobe//kmod":	"enforce",
		"snap-update-ns.core":	"enforce",
		"snap-update-ns.snap-store":	"enforce",
		"snap.core.hook.configure":	"enforce",
		"snap.snap-store.snap-store":	"enforce",
		"snap.snap-store.ubuntu-software":	"enforce",
		"snap.snap-store.ubuntu-software-local-file":	"enforce",
		"libreoffice-oopslash":	"complain",
		"libreoffice-soffice":	"complain",
		"example":	"kill",
		"test":	"unconfined",
		"interactive":	"prompt"
	},
	"processes":	{
		"/usr/sbin/cups-browsed":	[{
				"profile":	"/usr/sbin/cups-browsed",
				"pid":	"624",
				"status":	"enforce"
			}],
		"/usr/sbin/cupsd":	[{
				"profile":	"/usr/sbin/cupsd",
				"pid":	"520",
				"status":	"enforce"
			}],
		"/usr/bin/bash":	[{
				"profile":	"test",
				"pid":	"1466",
				"status":	"unconfined"
			}],
		"/usr/bin/cat":	[{
				"profile":	"interactive//&:ns:foo",
				"pid":	"1502",
				"status":	"mixed"
			}],
		"/usr/bin/cat":	[{
				"profile":	"example",
				"pid":	"1474",
				"status":	"kill"
			}],
		"/usr/bin/cat":	[{
				"profile":	"interactive",
				"pid":	"1475",
				"status":	"prompt"
			}, {
				"profile":	"interactive//&unconfined",
				"pid":	"1497",
				"status":	"prompt"
			}, {
				"profile":	"interactive//&:ns:unconfined",
				"pid":	"1499",
				"status":	"prompt"
			}]
	}
}

More information about the AppArmor mailing list