[apparmor] Upcoming changes in AppArmor aa-status output

Thu, 30 Apr 2020 04:23:31 -0700 

Hello,

AFAIK the YaST AppArmor module uses the JSON output of aa-status.

There are two upcoming changes, and I'd like to point them out so that 
you can adjust the YaST AppArmor module if needed.

a) new profile modes

Besides complain and enforce mode, future AppArmor versions (>= 3.0) 
will also have `unconfined`, `mixed` and `kill`.

Technically the structure of the JSON doesn't change, but there will be 
new values for the status, for example

    "processes": {
        "/usr/lib/GConf/2/gconfd-2": [
            {
                "pid": "3899",
                "profile": "/usr/lib/GConf/2/gconfd-2",
                "status": "kill"
            }
        ]
    }

    "profiles": {
        "/does/not/exist": "kill"
    }

Side question: Do you think this warrants increasing the JSON version 
number?

Quick explanation about the new modes:
- unconfined: similar to not having a profile, but when using an 
  unconfined profile, it's possible to replace it with a "real" profile 
  later, so that programs initially running under an unconfined profile
  get a profile in enforce mode
- kill: similar to enforce, but on profile violations, the process will 
  be killed instead of "just" getting EPERM
- mixed: when using stacked profiles, this indicates that a program is 
  for example using a stack of two profiles, one in complain and one in 
  enforce mode. (This also means you'll see "mixed" only in aa-status
  output, but never in a profile's "flags=(...)".)

(Extending the aa-* tools to support switching to kill and unconfined 
mode is still on my TODO list.)

b) whitespace changes

aa-status was rewritten to C, which results in changed whitespace in the 
--json output. Currently --pretty-json also results in "compressed" 
JSON, but I hope that this will change again in the future.
I'd guess/hope that whitespace changes shouldn't matter, but please 
check nevertheless.


Currently the new aa-status is only available in upstream git master.
If it makes testing easier for you, I can provide the compiled binary or 
some example output.


Regards,

Christian Boltz
-- 
Es kann dadurch
, daß der Rechner (
wenn er an Trenn
- zeichen umbricht          [Ratti erklärt
) die falschen Stellen      den Begriff
erwischt , zu ganz gräß     "Plenken"
- lichen Effekten kommen    in suse-linux]
!




-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to