Hello, I just noticed that this mail about the aa-status changes never made it to yast-devel, probably because John isn't subscribed there.
Is this mail with the json examples "good enough", or do you want/need a bugreport to track this? FYI: AppArmor 3.0 will be released soon[tm], so please don't wait too long with adjusting the YaST side. ---------- Weitergeleitete Nachricht ---------- Betreff: Re: [apparmor] [yast-devel] Upcoming changes in AppArmor aa-status output Datum: Mittwoch, 10. Juni 2020, 16:40:50 CEST Von: John Johansen <[email protected]> An: Stefan Hundhammer <[email protected]>, Christian Boltz <[email protected]> Kopie: [email protected], [email protected] On 5/4/20 1:08 AM, Stefan Hundhammer wrote: > On 2020-04-30 13:22, Christian Boltz wrote: >> Hello, >> >> AFAIK the YaST AppArmor module uses the JSON output of aa-status. >> >> There are two upcoming changes, and I'd like to point them out so that >> you can adjust the YaST AppArmor module if needed. > > This time PLEASE remember to also bump the JSON version number of > that output. We had to do a pretty ugly hot fix for that last time, > and it was just coincidence that this did not conflict with the > previous version. > the JSON version was bumped to 2 attached is an example output of aa-status, along with the corresponding pretty json and compressed json output using the new unconfined, kill, mixed, and prompt modes ------------------------------------------------------------- Regards, Christian Boltz -- ein Auto "funktioniert" auch mit eckigen Reifen, ob ich so etwas fahren möchte ist wieder eine andere Frage. [Björn Meier in postfixbuch-users]
apparmor module is loaded.
45 profiles are loaded.
40 profiles are in enforce mode.
/snap/core/9289/usr/lib/snapd/snap-confine
/snap/core/9289/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/tcpdump
/{,usr/}sbin/dhclient
:ns:foo
firefox
firefox//browser_java
firefox//browser_openjdk
firefox//lsb_release
firefox//sanitized_helper
ippusbxd
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.core
snap-update-ns.snap-store
snap.core.hook.configure
snap.snap-store.snap-store
snap.snap-store.ubuntu-software
snap.snap-store.ubuntu-software-local-file
2 profiles are in complain mode.
libreoffice-oopslash
libreoffice-soffice
1 profiles are in kill mode.
example
1 profiles are in unconfined mode.
test
1 profiles are in prompt mode.
interactive
8 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/cups-browsed (624)
/usr/sbin/cupsd (520)
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
/usr/bin/bash (1466) test
1 processes are in mixed mode.
/usr/bin/cat (1502) interactive//&:ns:foo
1 processes are in kill mode.
/usr/bin/cat (1474) example
3 processes are in prompt mode.
/usr/bin/cat (1475) interactive
/usr/bin/cat (1499) interactive//&:ns:unconfined
/usr/bin/cat (1497) interactive//&unconfined
aa-status.json
Description: application/json
{
"version": "2",
"profiles": {
"/snap/core/9289/usr/lib/snapd/snap-confine": "enforce",
"/snap/core/9289/usr/lib/snapd/snap-confine//mount-namespace-capture-helper":
"enforce",
"/usr/bin/evince": "enforce",
"/usr/bin/evince-previewer": "enforce",
"/usr/bin/evince-previewer//sanitized_helper": "enforce",
"/usr/bin/evince-thumbnailer": "enforce",
"/usr/bin/evince//sanitized_helper": "enforce",
"/usr/bin/man": "enforce",
"/usr/lib/NetworkManager/nm-dhcp-client.action":
"enforce",
"/usr/lib/NetworkManager/nm-dhcp-helper": "enforce",
"/usr/lib/connman/scripts/dhclient-script": "enforce",
"/usr/lib/cups/backend/cups-pdf": "enforce",
"/usr/lib/snapd/snap-confine": "enforce",
"/usr/lib/snapd/snap-confine//mount-namespace-capture-helper":
"enforce",
"/usr/sbin/cups-browsed": "enforce",
"/usr/sbin/cupsd": "enforce",
"/usr/sbin/cupsd//third_party": "enforce",
"/usr/sbin/tcpdump": "enforce",
"/{,usr/}sbin/dhclient": "enforce",
":ns:foo": "enforce",
"firefox": "enforce",
"firefox//browser_java": "enforce",
"firefox//browser_openjdk": "enforce",
"firefox//lsb_release": "enforce",
"firefox//sanitized_helper": "enforce",
"ippusbxd": "enforce",
"libreoffice-senddoc": "enforce",
"libreoffice-soffice//gpg": "enforce",
"libreoffice-xpdfimport": "enforce",
"lsb_release": "enforce",
"man_filter": "enforce",
"man_groff": "enforce",
"nvidia_modprobe": "enforce",
"nvidia_modprobe//kmod": "enforce",
"snap-update-ns.core": "enforce",
"snap-update-ns.snap-store": "enforce",
"snap.core.hook.configure": "enforce",
"snap.snap-store.snap-store": "enforce",
"snap.snap-store.ubuntu-software": "enforce",
"snap.snap-store.ubuntu-software-local-file": "enforce",
"libreoffice-oopslash": "complain",
"libreoffice-soffice": "complain",
"example": "kill",
"test": "unconfined",
"interactive": "prompt"
},
"processes": {
"/usr/sbin/cups-browsed": [{
"profile": "/usr/sbin/cups-browsed",
"pid": "624",
"status": "enforce"
}],
"/usr/sbin/cupsd": [{
"profile": "/usr/sbin/cupsd",
"pid": "520",
"status": "enforce"
}],
"/usr/bin/bash": [{
"profile": "test",
"pid": "1466",
"status": "unconfined"
}],
"/usr/bin/cat": [{
"profile": "interactive//&:ns:foo",
"pid": "1502",
"status": "mixed"
}],
"/usr/bin/cat": [{
"profile": "example",
"pid": "1474",
"status": "kill"
}],
"/usr/bin/cat": [{
"profile": "interactive",
"pid": "1475",
"status": "prompt"
}, {
"profile": "interactive//&unconfined",
"pid": "1497",
"status": "prompt"
}, {
"profile": "interactive//&:ns:unconfined",
"pid": "1499",
"status": "prompt"
}]
}
}
