On Fri, Dec 30, 2016 at 12:25:15AM -0800, John Johansen wrote: > On 12/29/2016 11:33 PM, Steve Beattie wrote: > > While editing the man page for aa-unconfined in this patch set, I > > noticed that it's uh pretty inaccurate at describing the behavior > > of aa-unconfined. It described listing processes without apparmor > > policies applied, whereas the tool reports processes with and without > > policies applied. > > > > The question is, which way is the preferred way to fix this? Change > > the documentation to accurately reflect the tool's behavior, or adjust > > the tool to more closely reflect the documentation? > > > Well I think the name is really pushing in the direction of only > unconfined. > > Note that it does only report unconfined processes without --paranoid > but with --paranoid it reports both confined and unconfined.
That's not the behavior I see... (tip of trunk, without patchset applied) Ubuntu 16.04 LTS: $ sudo ./aa-unconfined 1300 /sbin/rpcbind not confined 1455 /usr/sbin/NetworkManager not confined 1480 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)' 1664 /usr/sbin/dnsmasq confined by '/usr/sbin/dnsmasq (enforce)' 1711 /usr/sbin/sshd not confined 2153 /usr/sbin/openvpn not confined 3019 /usr/sbin/xinetd not confined 3130 /usr/sbin/tcsd not confined 3437 /usr/lib/postfix/sbin/master confined by 'postfix-master (enforce)' 3933 /usr/bin/ssh not confined 22072 /home/steam/.steam/ubuntu12_32/steam not confined 26822 /usr/sbin/cups-browsed confined by '/usr/sbin/cups-browsed (enforce) and Ubuntu 14.04 LTS: $ sudo ./aa-unconfined 1091 /sbin/rpcbind not confined 1196 /sbin/rpc.statd not confined 1965 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (enforce)' 2014 /usr/bin/perl (/usr/bin/perl -wT /usr/sbin/munin-node) not confined 2113 /usr/sbin/xinetd not confined 2155 /usr/sbin/sshd not confined 2218 /usr/sbin/cups-browsed confined by '/usr/sbin/cups-browsed (enforce)' 2324 /usr/sbin/dnsmasq confined by '/usr/sbin/dnsmasq (enforce)' 2950 /usr/sbin/ntpd confined by '/usr/sbin/ntpd (enforce)' 3094 /usr/sbin/rpc.mountd not confined 3268 /usr/lib/postfix/master not confined 4183 /usr/bin/mpd not confined 4296 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 8540 /usr/bin/Xvnc4 not confined 13728 /usr/sbin/sshd (sshd: user@pts/4) not confined 28374 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (enforce)' Also, --paranoid reports all processes, not just ones with network sockets. > If we want the other behavior we can add a new tool aa-confined, or > aa-netstat, ..? or some such aa-status? :) But I like the current behavior, both from a "it's comforting to see what I do have confined" perspective as well as a potential fear of asking myself "is the tool reporting nothing because I have everything listening on a network socket confined, or because aa-unconfined is buggy?" if we make the behavior consistent with the documentation. That said, I'm mildly inclined to make it match the documentation (and maybe provide an option to get the old behavior back), but I also fear breaking things for people who might have scripts that parse the output of aa-unconfined. -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
