[Apparmor-general] how to get the status of the apparmor

Steve Beattie sbeattie at suse.de
Tue May 15 14:28:57 MDT 2007 

On Tue, May 15, 2007 at 12:56:02AM -0600, S Kalyanasundaram wrote:
>   I wanted to reload the apparmor profiles through my script. I was doing
> 
> ....
> APPARMOR_INIT=/etc/init.d/boot.apparmor
> $APPARMOR_INIT status
> APPARMOR_RUNNING=$?
> 
> if [ "x$APPARMOR_RUNNING" = "x0" ]
> then
>         $APPARMOR_INIT restart
> fi
> ....
> 
>       
> But $? returns 0 in both the cases (start,stop). How do i get the status of the apparmor profile. Is there any environment variable that i can use?
> 
> i am planning something of this kind for now.
> 
> ....
> x=`rcapparmor status | grep "profiles are loaded" | cut -d' ' -f 1`
> if [ $x -gt 0 ]
> then
>  rcapparmor restart
> fi
> ....
> 
> Is there any better solution? Please suggest me.

Erk, there's potentially a couple of issues here. "boot.apprmor status"
is just a wrapper around /usr/sbin/apparmor_status (from the utils
directory).  The first is that the boot.apparmor script doesn't appear
to be propogating the return code from apparmor_status -- apparmor_status
will return the following values[1]:

  0 if apparmor is enabled and policy is loaded
  1 if apparmor is not enabled/loaded
  2 if apparmor is enabled but no policy is loaded
  3 if the apparmor control files aren't available under /sys/kernel/security/
  4 if the user running the script doesn't have enough privileges to
    read the apparmor control files

The second is that the recent lkml submission changed the way processes
that are not confined by apparmor policy are reported in the status
files and apparmor_status has not been modified to match, so depending
on what version of the module you're running, it may be mis-reporting
how many processes are confined by policy. The following patch should
address the second issue:

Index: b/utils/apparmor_status
===================================================================
--- a/utils/apparmor_status
+++ b/utils/apparmor_status
@@ -101,7 +101,7 @@ sub count_processes {
       if ($file =~ m/^\d+/ && open(CURRENT, "/proc/$file/attr/current")) {
 	while (<CURRENT>) {
 	  $processes++;
-	  $confined++ if not m/^unconstrained$/;
+	  $confined++ if not m/^uncon(stra|f)ined$/;
 	  $enforced++ if m/\(enforce\)$/;
 	  $complain++ if m/\(complain\)$/;
 	}

I'll look into why the initscript isn't properly propagating error
codes correctly.

For your script, I would probably look at running apparmor_status
directly. I note that it lacks a --quiet mode, but would be open to
adding one.

Thanks.

[1] Annoyingly, I did not document these return codes in the
    apparmor_status manpage, I guess that's a third issue.

-- 
Steve Beattie
SUSE Labs, Novell Inc. 
<sbeattie at suse.de>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070515/0d9fe5a2/attachment.pgp

More information about the Apparmor-general mailing list