From e3185cadf3e5ab43a0ea945ea84da6d3850ca37f Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sun, 26 Apr 2020 04:20:47 -0700 Subject: [PATCH] aa-status: add output for for stacked processes in mixed mode Processes that are confined by multiple profiles in a stack can have more than one profile mode applied. Allow aa-status to report processes that are in a mixed profile confinement mode. Signed-off-by: John Johansen Acked-by: Steve Beattie --- binutils/aa-status.pod | 5 +++++ binutils/aa_status.c | 31 ++++++++++++++++++++++++++++++- 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/binutils/aa-status.pod b/binutils/aa-status.pod index b97f0bbef..9cfa795d3 100644 --- a/binutils/aa-status.pod +++ b/binutils/aa-status.pod @@ -70,6 +70,11 @@ displays the number of loaded enforcing AppArmor policies. displays the number of loaded non-enforcing AppArmor policies. +=item --process-mixed + +displays the number of processes confined by profile stacks with +profiles in different modes. + =item --verbose displays multiple data points about loaded AppArmor policy diff --git a/binutils/aa_status.c b/binutils/aa_status.c index 9f9389ff6..810531214 100644 --- a/binutils/aa_status.c +++ b/binutils/aa_status.c @@ -367,6 +367,28 @@ static int simple_filtered_count(const char *filter) { return ret; } +static int simple_filtered_process_count(const char *filter) { + size_t nprocesses, nprofiles; + struct profile *profiles = NULL; + struct process *processes = NULL; + int ret; + + ret = get_profiles(&profiles, &nprofiles); + if (ret != 0) + return ret; + ret = get_processes(profiles, nprofiles, &processes, &nprocesses); + if (ret == 0) { + size_t nfiltered; + struct process *filtered = NULL; + ret = filter_processes(processes, nprocesses, filter, &filtered, &nfiltered); + printf("%zd\n", nfiltered); + free_processes(filtered, nfiltered); + } + free_profiles(profiles, nprofiles); + free_processes(processes, nprocesses); + return ret; +} + static int cmd_enabled(const char *command) { int res = aa_is_enabled(); return res == 1 ? 0 : 1; @@ -385,6 +407,11 @@ static int cmd_complaining(const char *command) { return simple_filtered_count("complain"); } +static int cmd_process_mixed(const char *command) { + return simple_filtered_process_count("mixed"); +} + + static int compare_processes_by_profile(const void *a, const void *b) { return strcmp(((struct process *)a)->profile, ((struct process *)b)->profile); @@ -400,7 +427,7 @@ static int detailed_output(int json) { struct profile *profiles = NULL; struct process *processes = NULL; const char *profile_statuses[] = {"enforce", "complain"}; - const char *process_statuses[] = {"enforce", "complain", "unconfined"}; + const char *process_statuses[] = {"enforce", "complain", "unconfined", "mixed"}; int ret, i; ret = get_profiles(&profiles, &nprofiles); @@ -524,6 +551,7 @@ static int print_usage(const char *command) " --profiled prints the number of loaded policies\n" " --enforced prints the number of loaded enforcing policies\n" " --complaining prints the number of loaded non-enforcing policies\n" + " --process-mixed prints the number processes with mixed profile modes\n" " --json displays multiple data points in machine-readable JSON format\n" " --pretty-json same data as --json, formatted for human consumption as well\n" " --verbose (default) displays multiple data points about loaded policy set\n" @@ -542,6 +570,7 @@ static struct command commands[] = { {"--profiled", cmd_profiled}, {"--enforced", cmd_enforced}, {"--complaining", cmd_complaining}, + {"--process-mixed", cmd_process_mixed}, {"--json", cmd_json}, {"--pretty-json", cmd_pretty_json}, {"--verbose", cmd_verbose},