On 12/29/2016 11:33 PM, Steve Beattie wrote: > While editing the man page for aa-unconfined in this patch set, I > noticed that it's uh pretty inaccurate at describing the behavior > of aa-unconfined. It described listing processes without apparmor > policies applied, whereas the tool reports processes with and without > policies applied. > > The question is, which way is the preferred way to fix this? Change > the documentation to accurately reflect the tool's behavior, or adjust > the tool to more closely reflect the documentation? > Well I think the name is really pushing in the direction of only unconfined.
Note that it does only report unconfined processes without --paranoid but with --paranoid it reports both confined and unconfined. If we want the other behavior we can add a new tool aa-confined, or aa-netstat, ..? or some such > For reference, here's the man page, after applying the first patch in > the series: > > A-UNCONFINED(8) AppArmor AA-UNCONFINED(8) > > NAME > aa-unconfined - output a list of processes with tcp or udp > ports that do not have AppArmor profiles loaded > > SYNOPSIS > aa-unconfined [--paranoid] [--with-ss | --with-netstat] > > OPTIONS > --paranoid > Displays all processes from /proc filesystem with tcp or > udp ports that do not have AppArmor profiles loaded. > > --with-ss > Use the ss(8) command to find processes listening on > network sockets (the default). > > --with-netstat > Use the netstat(8) command to find processes listening on > network sockets. This is also what aa-unconfined will > fall back to when ss(8) is not available. > > DESCRIPTION > aa-unconfined will use netstat(8) to determine which > processes have open network sockets and do not have AppArmor > profiles loaded into the kernel. > > BUGS > aa-unconfined must be run as root to retrieve the process > executable link from the /proc filesystem. This program is > susceptible to race conditions of several flavours: an > unlinked executable will be mishandled; an executable started > before an AppArmor profile is loaded will not appear in the > output, despite running without confinement; a process that > dies between the netstat(8) and further checks will be > mishandled. This program only lists processes using TCP and > UDP. In short, this program is unsuitable for forensics use > and is provided only as an aid to profiling all network- > accessible processes in the lab. > > If you find any bugs, please report them at > <https://bugs.launchpad.net/apparmor/+filebug>. > > SEE ALSO > ss(8), netstat(8), apparmor(7), apparmor.d(5), > aa_change_hat(2), and <http://wiki.apparmor.net>. > > AppArmor 2.10.95 2016-12-30 AA-UNCONFINED(8) > > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
