aa-status: add output for for stacked processes in mixed mode

Processes that are confined by multiple profiles in a stack can have more than one profile mode applied. Allow aa-status to report processes that are in a mixed profile confinement mode. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com>
2025-08-22 01:57:43 +00:00 · 2020-04-26 04:20:47 -07:00 · 2020-04-26 04:20:47 -07:00 · e3185cadf3
commit e3185cadf3
parent 68811fa42b
2 changed files with 35 additions and 1 deletions
--- a/binutils/aa-status.pod
+++ b/binutils/aa-status.pod
@ -70,6 +70,11 @@ displays the number of loaded enforcing AppArmor policies.

 displays the number of loaded non-enforcing AppArmor policies.

+=item --process-mixed
+
+displays the number of processes confined by profile stacks with
+profiles in different modes.
+
 =item --verbose

 displays multiple data points about loaded AppArmor policy
--- a/binutils/aa_status.c
+++ b/binutils/aa_status.c
@ -367,6 +367,28 @@ static int simple_filtered_count(const char *filter) {
        return ret;
 }

+static int simple_filtered_process_count(const char *filter) {
+	size_t nprocesses, nprofiles;
+        struct profile *profiles = NULL;
+        struct process *processes = NULL;
+        int ret;
+
+        ret = get_profiles(&profiles, &nprofiles);
+	if (ret != 0)
+		return ret;
+        ret = get_processes(profiles, nprofiles, &processes, &nprocesses);
+        if (ret == 0) {
+                size_t nfiltered;
+                struct process *filtered = NULL;
+                ret = filter_processes(processes, nprocesses, filter, &filtered, &nfiltered);
+                printf("%zd\n", nfiltered);
+                free_processes(filtered, nfiltered);
+        }
+        free_profiles(profiles, nprofiles);
+	free_processes(processes, nprocesses);
+        return ret;
+}
+
 static int cmd_enabled(const char *command) {
        int res = aa_is_enabled();
        return res == 1 ? 0 : 1;
@ -385,6 +407,11 @@ static int cmd_complaining(const char *command) {
        return simple_filtered_count("complain");
 }

+static int cmd_process_mixed(const char *command) {
+        return simple_filtered_process_count("mixed");
+}
+
+
 static int compare_processes_by_profile(const void *a, const void *b) {
        return strcmp(((struct process *)a)->profile,
                      ((struct process *)b)->profile);
@ -400,7 +427,7 @@ static int detailed_output(int json) {
        struct profile *profiles = NULL;
        struct process *processes = NULL;
        const char *profile_statuses[] = {"enforce", "complain"};
-        const char *process_statuses[] = {"enforce", "complain", "unconfined"};
+        const char *process_statuses[] = {"enforce", "complain", "unconfined", "mixed"};
        int ret, i;

        ret = get_profiles(&profiles, &nprofiles);
@ -524,6 +551,7 @@ static int print_usage(const char *command)
         "  --profiled      prints the number of loaded policies\n"
         "  --enforced      prints the number of loaded enforcing policies\n"
         "  --complaining   prints the number of loaded non-enforcing policies\n"
+         "  --process-mixed prints the number processes with mixed profile modes\n"
         "  --json          displays multiple data points in machine-readable JSON format\n"
         "  --pretty-json   same data as --json, formatted for human consumption as well\n"
         "  --verbose       (default) displays multiple data points about loaded policy set\n"
@ -542,6 +570,7 @@ static struct command commands[] = {
        {"--profiled", cmd_profiled},
        {"--enforced", cmd_enforced},
        {"--complaining", cmd_complaining},
+        {"--process-mixed", cmd_process_mixed},
        {"--json", cmd_json},
        {"--pretty-json", cmd_pretty_json},
        {"--verbose", cmd_verbose},