[Apparmor-dev] [rfr] apparmor_status: report more detailed
information
Steve Beattie
sbeattie at suse.de
Thu May 31 09:31:11 MDT 2007
On Wed, May 30, 2007 at 07:23:54PM -0400, Mathias Gug wrote:
> I've attached a new diff.
Thanks, I committed this after doing some minor formatting cleanups
and s/constrained/confined/ in the variables and text, because it's
the terminology we use far more frequently. That /proc/pid/attr/current
contained the phrase "unconstrained" rather than "unconfined" is more
of a historical accident than anything.
> --- utils/apparmor_status (revision 704)
> +++ utils/apparmor_status (working copy)
> + if (m/^([^\(]+)\s+\((\w+)\)$/) {
> + $processes{$file}{'profile'} = $1;
> + $processes{$file}{'mode'} = $2;
> + } elsif (grep(abs_path("/proc/$file/exe") eq $_ , keys(%profiles))) {
> + # keep only unconstrained processes that have a profile defined
> + $processes{$file}{'profile'} = abs_path("/proc/$file/exe");
> + $processes{$file}{'mode'} = 'unconstrained';
> + }
While I'm quite content with the code as-is, if an interpreted script is
running unconfined but there's a profile defined for the script for some
reason, this won't catch that. You could consider doing something ugly
like looking at /proc/pid/cmdline if the exe is a symlink to a common
interpreter, and trying to parse it to see if there's a scriptname that
matches a profile, but this would strictly be a best-effort heuristic,
and not necessarily something to be counted on.
Thanks again, Mathias!
--
Steve Beattie
SUSE Labs, Novell Inc.
<sbeattie at suse.de>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070531/2440e163/attachment.pgp
More information about the Apparmor-dev
mailing list