Re: [apparmor] [yast-devel] Upcoming changes in AppArmor aa-status output

Wed, 10 Jun 2020 07:41:32 -0700 

On 5/4/20 1:08 AM, Stefan Hundhammer wrote:
> On 2020-04-30 13:22, Christian Boltz wrote:
>> Hello,
>>
>> AFAIK the YaST AppArmor module uses the JSON output of aa-status.
>>
>> There are two upcoming changes, and I'd like to point them out so that
>> you can adjust the YaST AppArmor module if needed.
> 
> This time PLEASE remember to also bump the JSON version number of that 
> output. We had to do a pretty ugly hot fix for that last time, and it was 
> just coincidence that this did not conflict with the previous version.
> 

the JSON version was bumped to 2

attached is an example output of aa-status, along with the corresponding pretty 
json and compressed json output using the new unconfined, kill, mixed, and 
prompt modes

apparmor module is loaded.
45 profiles are loaded.
40 profiles are in enforce mode.
   /snap/core/9289/usr/lib/snapd/snap-confine
   /snap/core/9289/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   :ns:foo
   firefox
   firefox//browser_java
   firefox//browser_openjdk
   firefox//lsb_release
   firefox//sanitized_helper
   ippusbxd
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.core
   snap-update-ns.snap-store
   snap.core.hook.configure
   snap.snap-store.snap-store
   snap.snap-store.ubuntu-software
   snap.snap-store.ubuntu-software-local-file
2 profiles are in complain mode.
   libreoffice-oopslash
   libreoffice-soffice
1 profiles are in kill mode.
   example
1 profiles are in unconfined mode.
   test
1 profiles are in prompt mode.
   interactive
8 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/cups-browsed (624) 
   /usr/sbin/cupsd (520) 
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
   /usr/bin/bash (1466) test
1 processes are in mixed mode.
   /usr/bin/cat (1502) interactive//&:ns:foo
1 processes are in kill mode.
   /usr/bin/cat (1474) example
3 processes are in prompt mode.
   /usr/bin/cat (1475) interactive
   /usr/bin/cat (1499) interactive//&:ns:unconfined
   /usr/bin/cat (1497) interactive//&unconfined

Attachment: aa-status.json
Description: application/json

{
        "version":      "2",
        "profiles":     {
                "/snap/core/9289/usr/lib/snapd/snap-confine":   "enforce",
                
"/snap/core/9289/usr/lib/snapd/snap-confine//mount-namespace-capture-helper":   
"enforce",
                "/usr/bin/evince":      "enforce",
                "/usr/bin/evince-previewer":    "enforce",
                "/usr/bin/evince-previewer//sanitized_helper":  "enforce",
                "/usr/bin/evince-thumbnailer":  "enforce",
                "/usr/bin/evince//sanitized_helper":    "enforce",
                "/usr/bin/man": "enforce",
                "/usr/lib/NetworkManager/nm-dhcp-client.action":        
"enforce",
                "/usr/lib/NetworkManager/nm-dhcp-helper":       "enforce",
                "/usr/lib/connman/scripts/dhclient-script":     "enforce",
                "/usr/lib/cups/backend/cups-pdf":       "enforce",
                "/usr/lib/snapd/snap-confine":  "enforce",
                "/usr/lib/snapd/snap-confine//mount-namespace-capture-helper":  
"enforce",
                "/usr/sbin/cups-browsed":       "enforce",
                "/usr/sbin/cupsd":      "enforce",
                "/usr/sbin/cupsd//third_party": "enforce",
                "/usr/sbin/tcpdump":    "enforce",
                "/{,usr/}sbin/dhclient":        "enforce",
                ":ns:foo":      "enforce",
                "firefox":      "enforce",
                "firefox//browser_java":        "enforce",
                "firefox//browser_openjdk":     "enforce",
                "firefox//lsb_release": "enforce",
                "firefox//sanitized_helper":    "enforce",
                "ippusbxd":     "enforce",
                "libreoffice-senddoc":  "enforce",
                "libreoffice-soffice//gpg":     "enforce",
                "libreoffice-xpdfimport":       "enforce",
                "lsb_release":  "enforce",
                "man_filter":   "enforce",
                "man_groff":    "enforce",
                "nvidia_modprobe":      "enforce",
                "nvidia_modprobe//kmod":        "enforce",
                "snap-update-ns.core":  "enforce",
                "snap-update-ns.snap-store":    "enforce",
                "snap.core.hook.configure":     "enforce",
                "snap.snap-store.snap-store":   "enforce",
                "snap.snap-store.ubuntu-software":      "enforce",
                "snap.snap-store.ubuntu-software-local-file":   "enforce",
                "libreoffice-oopslash": "complain",
                "libreoffice-soffice":  "complain",
                "example":      "kill",
                "test": "unconfined",
                "interactive":  "prompt"
        },
        "processes":    {
                "/usr/sbin/cups-browsed":       [{
                                "profile":      "/usr/sbin/cups-browsed",
                                "pid":  "624",
                                "status":       "enforce"
                        }],
                "/usr/sbin/cupsd":      [{
                                "profile":      "/usr/sbin/cupsd",
                                "pid":  "520",
                                "status":       "enforce"
                        }],
                "/usr/bin/bash":        [{
                                "profile":      "test",
                                "pid":  "1466",
                                "status":       "unconfined"
                        }],
                "/usr/bin/cat": [{
                                "profile":      "interactive//&:ns:foo",
                                "pid":  "1502",
                                "status":       "mixed"
                        }],
                "/usr/bin/cat": [{
                                "profile":      "example",
                                "pid":  "1474",
                                "status":       "kill"
                        }],
                "/usr/bin/cat": [{
                                "profile":      "interactive",
                                "pid":  "1475",
                                "status":       "prompt"
                        }, {
                                "profile":      "interactive//&unconfined",
                                "pid":  "1497",
                                "status":       "prompt"
                        }, {
                                "profile":      "interactive//&:ns:unconfined",
                                "pid":  "1499",
                                "status":       "prompt"
                        }]
        }
}

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to