On 5/4/20 1:08 AM, Stefan Hundhammer wrote: > On 2020-04-30 13:22, Christian Boltz wrote: >> Hello, >> >> AFAIK the YaST AppArmor module uses the JSON output of aa-status. >> >> There are two upcoming changes, and I'd like to point them out so that >> you can adjust the YaST AppArmor module if needed. > > This time PLEASE remember to also bump the JSON version number of that > output. We had to do a pretty ugly hot fix for that last time, and it was > just coincidence that this did not conflict with the previous version. >
the JSON version was bumped to 2 attached is an example output of aa-status, along with the corresponding pretty json and compressed json output using the new unconfined, kill, mixed, and prompt modes
apparmor module is loaded.
45 profiles are loaded.
40 profiles are in enforce mode.
/snap/core/9289/usr/lib/snapd/snap-confine
/snap/core/9289/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/tcpdump
/{,usr/}sbin/dhclient
:ns:foo
firefox
firefox//browser_java
firefox//browser_openjdk
firefox//lsb_release
firefox//sanitized_helper
ippusbxd
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.core
snap-update-ns.snap-store
snap.core.hook.configure
snap.snap-store.snap-store
snap.snap-store.ubuntu-software
snap.snap-store.ubuntu-software-local-file
2 profiles are in complain mode.
libreoffice-oopslash
libreoffice-soffice
1 profiles are in kill mode.
example
1 profiles are in unconfined mode.
test
1 profiles are in prompt mode.
interactive
8 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/cups-browsed (624)
/usr/sbin/cupsd (520)
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
/usr/bin/bash (1466) test
1 processes are in mixed mode.
/usr/bin/cat (1502) interactive//&:ns:foo
1 processes are in kill mode.
/usr/bin/cat (1474) example
3 processes are in prompt mode.
/usr/bin/cat (1475) interactive
/usr/bin/cat (1499) interactive//&:ns:unconfined
/usr/bin/cat (1497) interactive//&unconfined
aa-status.json
Description: application/json
{
"version": "2",
"profiles": {
"/snap/core/9289/usr/lib/snapd/snap-confine": "enforce",
"/snap/core/9289/usr/lib/snapd/snap-confine//mount-namespace-capture-helper":
"enforce",
"/usr/bin/evince": "enforce",
"/usr/bin/evince-previewer": "enforce",
"/usr/bin/evince-previewer//sanitized_helper": "enforce",
"/usr/bin/evince-thumbnailer": "enforce",
"/usr/bin/evince//sanitized_helper": "enforce",
"/usr/bin/man": "enforce",
"/usr/lib/NetworkManager/nm-dhcp-client.action":
"enforce",
"/usr/lib/NetworkManager/nm-dhcp-helper": "enforce",
"/usr/lib/connman/scripts/dhclient-script": "enforce",
"/usr/lib/cups/backend/cups-pdf": "enforce",
"/usr/lib/snapd/snap-confine": "enforce",
"/usr/lib/snapd/snap-confine//mount-namespace-capture-helper":
"enforce",
"/usr/sbin/cups-browsed": "enforce",
"/usr/sbin/cupsd": "enforce",
"/usr/sbin/cupsd//third_party": "enforce",
"/usr/sbin/tcpdump": "enforce",
"/{,usr/}sbin/dhclient": "enforce",
":ns:foo": "enforce",
"firefox": "enforce",
"firefox//browser_java": "enforce",
"firefox//browser_openjdk": "enforce",
"firefox//lsb_release": "enforce",
"firefox//sanitized_helper": "enforce",
"ippusbxd": "enforce",
"libreoffice-senddoc": "enforce",
"libreoffice-soffice//gpg": "enforce",
"libreoffice-xpdfimport": "enforce",
"lsb_release": "enforce",
"man_filter": "enforce",
"man_groff": "enforce",
"nvidia_modprobe": "enforce",
"nvidia_modprobe//kmod": "enforce",
"snap-update-ns.core": "enforce",
"snap-update-ns.snap-store": "enforce",
"snap.core.hook.configure": "enforce",
"snap.snap-store.snap-store": "enforce",
"snap.snap-store.ubuntu-software": "enforce",
"snap.snap-store.ubuntu-software-local-file": "enforce",
"libreoffice-oopslash": "complain",
"libreoffice-soffice": "complain",
"example": "kill",
"test": "unconfined",
"interactive": "prompt"
},
"processes": {
"/usr/sbin/cups-browsed": [{
"profile": "/usr/sbin/cups-browsed",
"pid": "624",
"status": "enforce"
}],
"/usr/sbin/cupsd": [{
"profile": "/usr/sbin/cupsd",
"pid": "520",
"status": "enforce"
}],
"/usr/bin/bash": [{
"profile": "test",
"pid": "1466",
"status": "unconfined"
}],
"/usr/bin/cat": [{
"profile": "interactive//&:ns:foo",
"pid": "1502",
"status": "mixed"
}],
"/usr/bin/cat": [{
"profile": "example",
"pid": "1474",
"status": "kill"
}],
"/usr/bin/cat": [{
"profile": "interactive",
"pid": "1475",
"status": "prompt"
}, {
"profile": "interactive//&unconfined",
"pid": "1497",
"status": "prompt"
}, {
"profile": "interactive//&:ns:unconfined",
"pid": "1499",
"status": "prompt"
}]
}
}
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
