#! /usr/bin/python3 # ------------------------------------------------------------------ # # Copyright (C) 2005-2006 Novell/SUSE # Copyright (C) 2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ import re, os, sys, errno, json # PLEASE NOTE: we try to keep aa-status as minimal as possible, for # environments where installing all of the python utils and python # apparmor module may not make sense. Please think carefully before # importing anything from apparmor; see how the apparmor.fail import is # handled below. # setup exception handling try: from apparmor.fail import enable_aa_exception_handler enable_aa_exception_handler() except ImportError: # just let normal python exceptions happen (LP: #1480492) pass def cmd_enabled(): '''Returns error code if AppArmor is not enabled''' if get_profiles() == {}: sys.exit(2) def cmd_profiled(): '''Prints the number of loaded profiles''' profiles = get_profiles() sys.stdout.write("%d\n" % len(profiles)) if profiles == {}: sys.exit(2) def cmd_enforced(): '''Prints the number of loaded enforcing profiles''' profiles = get_profiles() sys.stdout.write("%d\n" % len(filter_profiles(profiles, 'enforce'))) if profiles == {}: sys.exit(2) def cmd_complaining(): '''Prints the number of loaded non-enforcing profiles''' profiles = get_profiles() sys.stdout.write("%d\n" % len(filter_profiles(profiles, 'complain'))) if profiles == {}: sys.exit(2) def cmd_verbose(): '''Displays multiple data points about loaded profile set''' global verbose verbose = True profiles = get_profiles() processes = get_processes(profiles) stdmsg("%d profiles are loaded." % len(profiles)) for status in ('enforce', 'complain'): filtered_profiles = filter_profiles(profiles, status) stdmsg("%d profiles are in %s mode." % (len(filtered_profiles), status)) for item in filtered_profiles: stdmsg(" %s" % item) stdmsg("%d processes have profiles defined." % len(processes)) for status in ('enforce', 'complain', 'unconfined'): filtered_processes = filter_processes(processes, status) if status == 'unconfined': stdmsg("%d processes are unconfined but have a profile defined." % len(filtered_processes)) else: stdmsg("%d processes are in %s mode." % (len(filtered_processes), status)) # Sort by name, and then by pid filtered_processes.sort(key=lambda x: int(x[0])) filtered_processes.sort(key=lambda x: x[1]) for (pid, process) in filtered_processes: stdmsg(" %s (%s) " % (process, pid)) if profiles == {}: sys.exit(2) def cmd_json(pretty_output=False): '''Outputs multiple data points about loaded profile set in a machine-readable JSON format''' global verbose profiles = get_profiles() processes = get_processes(profiles) i = { 'version': '1', 'profiles': {}, 'processes': {} } for status in ('enforce', 'complain'): filtered_profiles = filter_profiles(profiles, status) for item in filtered_profiles: i['profiles'][item] = status for status in ('enforce', 'complain', 'unconfined'): filtered_processes = filter_processes(processes, status) for (pid, process) in filtered_processes: if process not in i['processes']: i['processes'][process] = [] i['processes'][process].append({ 'pid': pid, 'status': status }) if pretty_output: sys.stdout.write(json.dumps(i, sort_keys=True, indent=4, separators=(',', ': '))) else: sys.stdout.write(json.dumps(i)) def cmd_pretty_json(): cmd_json(True) def get_profiles(): '''Fetch loaded profiles''' profiles = {} if os.path.exists("/sys/module/apparmor"): stdmsg("apparmor module is loaded.") else: errormsg("apparmor module is not loaded.") sys.exit(1) apparmorfs = find_apparmorfs() if not apparmorfs: errormsg("apparmor filesystem is not mounted.") sys.exit(3) apparmor_profiles = os.path.join(apparmorfs, "profiles") try: f = open(apparmor_profiles) except IOError as e: if e.errno == errno.EACCES: errormsg("You do not have enough privilege to read the profile set.") else: errormsg("Could not open %s: %s" % (apparmor_profiles, os.strerror(e.errno))) sys.exit(4) for p in f.readlines(): match = re.search("^([^\(]+)\s+\((\w+)\)$", p) profiles[match.group(1)] = match.group(2) f.close() return profiles def get_processes(profiles): '''Fetch process list''' processes = {} contents = os.listdir("/proc") for filename in contents: if filename.isdigit(): try: for p in open("/proc/%s/attr/current" % filename).readlines(): match = re.search("^([^\(]+)\s+\((\w+)\)$", p) if match: processes[filename] = { 'profile' : match.group(1), \ 'mode' : match.group(2) } elif os.path.realpath("/proc/%s/exe" % filename) in profiles: # keep only unconfined processes that have a profile defined processes[filename] = { 'profile' : os.path.realpath("/proc/%s/exe" % filename), \ 'mode' : 'unconfined' } except: pass return processes def filter_profiles(profiles, status): '''Return a list of profiles that have a particular status''' filtered = [] for key, value in list(profiles.items()): if value == status: filtered.append(key) filtered.sort() return filtered def filter_processes(processes, status): '''Return a list of processes that have a particular status''' filtered = [] for key, value in list(processes.items()): if value['mode'] == status: filtered.append([key, value['profile']]) return filtered def find_apparmorfs(): '''Finds AppArmor mount point''' for p in open("/proc/mounts","rb").readlines(): if p.split()[2].decode() == "securityfs" and \ os.path.exists(os.path.join(p.split()[1].decode(), "apparmor")): return os.path.join(p.split()[1].decode(), "apparmor") return False def errormsg(message): '''Prints to stderr if verbose mode is on''' global verbose if verbose: sys.stderr.write(message + "\n") def stdmsg(message): '''Prints to stdout if verbose mode is on''' global verbose if verbose: sys.stdout.write(message + "\n") def print_usage(): '''Print usage information''' sys.stdout.write('''Usage: %s [OPTIONS] Displays various information about the currently loaded AppArmor policy. OPTIONS (one only): --enabled returns error code if AppArmor not enabled --profiled prints the number of loaded policies --enforced prints the number of loaded enforcing policies --complaining prints the number of loaded non-enforcing policies --json displays multiple data points in machine-readable JSON format --pretty-json same data as --json, formatted for human consumption as well --verbose (default) displays multiple data points about loaded policy set --help this message ''' % sys.argv[0]) # Main global verbose verbose = False if len(sys.argv) > 2: sys.stderr.write("Error: Too many options.\n") print_usage() sys.exit(1) elif len(sys.argv) == 2: cmd = sys.argv.pop(1) else: cmd = '--verbose' # Command dispatch: commands = { '--enabled' : cmd_enabled, '--profiled' : cmd_profiled, '--enforced' : cmd_enforced, '--complaining' : cmd_complaining, '--json' : cmd_json, '--pretty-json' : cmd_pretty_json, '--verbose' : cmd_verbose, '-v' : cmd_verbose, '--help' : print_usage, '-h' : print_usage } if cmd in commands: commands[cmd]() sys.exit(0) else: sys.stderr.write("Error: Invalid command.\n") print_usage() sys.exit(1)
Name | Type | Size | Permission | Actions |
ModemManager | File | 1.37 MB | 0755 |
NetworkManager | File | 2.54 MB | 0755 |
a2disconf | File | 15.89 KB | 0755 |
a2dismod | File | 15.89 KB | 0755 |
a2dissite | File | 15.89 KB | 0755 |
a2enconf | File | 15.89 KB | 0755 |
a2enmod | File | 15.89 KB | 0755 |
a2ensite | File | 15.89 KB | 0755 |
a2query | File | 9.64 KB | 0755 |
aa-remove-unknown | File | 2.85 KB | 0755 |
aa-status | File | 8.41 KB | 0755 |
accessdb | File | 10.23 KB | 0755 |
acpid | File | 50.84 KB | 0755 |
add-shell | File | 860 B | 0755 |
addgnupghome | File | 3.01 KB | 0755 |
addgroup | File | 36.45 KB | 0755 |
adduser | File | 36.45 KB | 0755 |
apache2 | File | 659.69 KB | 0755 |
apache2ctl | File | 7.06 KB | 0755 |
apachectl | File | 7.06 KB | 0755 |
apparmor_status | File | 8.41 KB | 0755 |
applygnupgdefaults | File | 2.17 KB | 0755 |
arp | File | 61.3 KB | 0755 |
arpd | File | 54.03 KB | 0755 |
aspell-autobuildhash | File | 13.22 KB | 0755 |
atd | File | 26.01 KB | 0755 |
bcache-super-show | File | 13.99 KB | 0755 |
biosdecode | File | 18.87 KB | 0755 |
chat | File | 30.01 KB | 0755 |
check_forensic | File | 952 B | 0755 |
chgpasswd | File | 57.83 KB | 0755 |
chmem | File | 42.08 KB | 0755 |
chpasswd | File | 53.86 KB | 0755 |
chroot | File | 38.18 KB | 0755 |
cpgr | File | 55.96 KB | 0755 |
cppw | File | 55.96 KB | 0755 |
cron | File | 46.3 KB | 0755 |
cryptdisks_start | File | 1.11 KB | 0755 |
cryptdisks_stop | File | 1.16 KB | 0755 |
danted | File | 858.54 KB | 0755 |
dbconfig-generate-include | File | 12.37 KB | 0755 |
dbconfig-load-include | File | 5.57 KB | 0755 |
delgroup | File | 16.11 KB | 0755 |
deluser | File | 16.11 KB | 0755 |
dmidecode | File | 106.54 KB | 0755 |
dnsmasq | File | 379.6 KB | 0755 |
dpkg-preconfigure | File | 3.58 KB | 0755 |
dpkg-reconfigure | File | 4.34 KB | 0755 |
e2freefrag | File | 14.07 KB | 0755 |
e4crypt | File | 22.07 KB | 0755 |
e4defrag | File | 25.99 KB | 0755 |
escapesrc | File | 22.16 KB | 0755 |
faillock | File | 13.99 KB | 0755 |
fanatic | File | 35.21 KB | 0755 |
fanctl | File | 41.98 KB | 0755 |
fdformat | File | 30.08 KB | 0755 |
filefrag | File | 14.02 KB | 0755 |
gconf-schemas | File | 4.45 KB | 0755 |
genccode | File | 10.36 KB | 0755 |
gencmn | File | 10.44 KB | 0755 |
genl | File | 58.05 KB | 0755 |
gennorm2 | File | 54.59 KB | 0755 |
gensprep | File | 18.5 KB | 0755 |
groupadd | File | 61.92 KB | 0755 |
groupdel | File | 70.37 KB | 0755 |
groupmems | File | 57.87 KB | 0755 |
groupmod | File | 68.18 KB | 0755 |
grpck | File | 53.8 KB | 0755 |
grpconv | File | 49.68 KB | 0755 |
grpunconv | File | 49.68 KB | 0755 |
grub-install | File | 1003.51 KB | 0755 |
grub-macbless | File | 780.84 KB | 0755 |
grub-mkconfig | File | 8.03 KB | 0755 |
grub-mkdevicemap | File | 207.62 KB | 0755 |
grub-probe | File | 793.09 KB | 0755 |
grub-reboot | File | 4.73 KB | 0755 |
grub-set-default | File | 832 B | 0755 |
grub-set-default-legacy-ec2 | File | 3.13 KB | 0755 |
grub-set-default.real | File | 3.47 KB | 0755 |
hddtemp | File | 38.68 KB | 0755 |
httxt2dbm | File | 9.99 KB | 0755 |
iconvconfig | File | 30.25 KB | 0755 |
icupkg | File | 18.77 KB | 0755 |
init.lxc | File | 38.5 KB | 0755 |
init.lxc.static | File | 1005.91 KB | 0755 |
invoke-rc.d | File | 15.66 KB | 0755 |
ip6tables-apply | File | 6.85 KB | 0755 |
iptables-apply | File | 6.85 KB | 0755 |
irqbalance | File | 62.68 KB | 0755 |
irqbalance-ui | File | 34.06 KB | 0755 |
isadump | File | 13.99 KB | 0755 |
isaset | File | 9.99 KB | 0755 |
iscsi-iname | File | 9.99 KB | 0755 |
iscsi_discovery | File | 5.16 KB | 0755 |
iscsid | File | 398.15 KB | 0755 |
iscsistart | File | 358.13 KB | 0755 |
ispell-autobuildhash | File | 15.39 KB | 0755 |
ldattach | File | 30.08 KB | 0755 |
locale-gen | File | 4.3 KB | 0755 |
logrotate | File | 74.09 KB | 0755 |
luksformat | File | 3.32 KB | 0755 |
make-bcache | File | 18.07 KB | 0755 |
make-ssl-cert | File | 3.78 KB | 0755 |
mkinitramfs | File | 10.89 KB | 0755 |
mklost+found | File | 9.99 KB | 0755 |
mysqld | File | 23.16 MB | 0755 |
netfilter-persistent | File | 1.05 KB | 0755 |
netplan | File | 798 B | 0755 |
newusers | File | 82.39 KB | 0755 |
nfnl_osf | File | 13.99 KB | 0755 |
nologin | File | 5.99 KB | 0755 |
openvpn | File | 750.27 KB | 0755 |
overlayroot-chroot | File | 2.45 KB | 0755 |
ownership | File | 10.13 KB | 0755 |
pam-auth-update | File | 19.38 KB | 0755 |
pam_getenv | File | 2.82 KB | 0755 |
pam_timestamp_check | File | 9.99 KB | 0755 |
paperconfig | File | 4.07 KB | 0755 |
php7-fpm | File | 37.24 MB | 0755 |
phpdismod | File | 7.11 KB | 0755 |
phpenmod | File | 7.11 KB | 0755 |
phpquery | File | 6.24 KB | 0755 |
pma-configure | File | 299 B | 0755 |
pma-secure | File | 157 B | 0755 |
popcon-largest-unused | File | 543 B | 0755 |
popularity-contest | File | 4.92 KB | 0755 |
pppd | File | 369.73 KB | 4754 |
pppdump | File | 18.1 KB | 0755 |
pppoe-discovery | File | 18 KB | 0755 |
pppstats | File | 13.99 KB | 0755 |
pptp | File | 62.98 KB | 0755 |
pptpsetup | File | 6.46 KB | 0755 |
pwck | File | 49.8 KB | 0755 |
pwconv | File | 45.7 KB | 0755 |
pwunconv | File | 45.68 KB | 0755 |
readprofile | File | 18.11 KB | 0755 |
recvtty | File | 3.4 MB | 0755 |
remove-default-ispell | File | 2.86 KB | 0755 |
remove-default-wordlist | File | 2.86 KB | 0755 |
remove-shell | File | 904 B | 0755 |
rmt | File | 58.39 KB | 0755 |
rmt-tar | File | 58.39 KB | 0755 |
rsyslogd | File | 668.54 KB | 0755 |
rtcwake | File | 42.08 KB | 0755 |
rtkitctl | File | 10.06 KB | 0755 |
runc | File | 8.37 MB | 0755 |
sd-helper | File | 3.26 MB | 0755 |
seccompagent | File | 2.18 MB | 0755 |
select-default-ispell | File | 3.23 KB | 0755 |
select-default-wordlist | File | 3.21 KB | 0755 |
sensors-detect | File | 204.66 KB | 0755 |
service | File | 9.04 KB | 0755 |
setvesablank | File | 14.07 KB | 0755 |
split-logfile | File | 2.36 KB | 0755 |
sshd | File | 772.41 KB | 0755 |
tarcat | File | 936 B | 0755 |
tcpdump | File | 999.6 KB | 0755 |
tzconfig | File | 106 B | 0755 |
ufw | File | 4.82 KB | 0755 |
update-ca-certificates | File | 5.27 KB | 0755 |
update-default-aspell | File | 1 KB | 0755 |
update-default-ispell | File | 9.68 KB | 0755 |
update-default-wordlist | File | 7.5 KB | 0755 |
update-dictcommon-aspell | File | 1 KB | 0755 |
update-dictcommon-hunspell | File | 782 B | 0755 |
update-fonts-alias | File | 5.71 KB | 0755 |
update-fonts-dir | File | 3.98 KB | 0755 |
update-fonts-scale | File | 6.1 KB | 0755 |
update-grub | File | 64 B | 0755 |
update-grub-legacy-ec2 | File | 43.96 KB | 0755 |
update-grub2 | File | 64 B | 0755 |
update-gsfontmap | File | 450 B | 0755 |
update-icon-caches | File | 596 B | 0755 |
update-info-dir | File | 1.66 KB | 0755 |
update-initramfs | File | 8.04 KB | 0755 |
update-locale | File | 2.99 KB | 0755 |
update-mime | File | 8.84 KB | 0755 |
update-passwd | File | 30.41 KB | 0755 |
update-pciids | File | 2.84 KB | 0755 |
update-rc.d | File | 16.12 KB | 0755 |
update-secureboot-policy | File | 7.43 KB | 0755 |
update-usbids | File | 1.05 KB | 0755 |
usb_modeswitch | File | 59.51 KB | 0755 |
usb_modeswitch_dispatcher | File | 46.16 KB | 0755 |
usbmuxd | File | 70.38 KB | 0755 |
useradd | File | 123.28 KB | 0755 |
userdel | File | 82.48 KB | 0755 |
usermod | File | 123.06 KB | 0755 |
uuidd | File | 34.16 KB | 0755 |
validlocale | File | 1.73 KB | 0755 |
vcstime | File | 9.99 KB | 0755 |
vigr | File | 60.18 KB | 0755 |
vipw | File | 60.18 KB | 0755 |
visudo | File | 208.8 KB | 0755 |
vpddecode | File | 14.27 KB | 0755 |
xfce4-kiosk-query | File | 9.99 KB | 0755 |
xfce4-pm-helper | File | 9.99 KB | 0755 |
xfpm-power-backlight-helper | File | 13.99 KB | 0755 |
xfs_admin | File | 1.35 KB | 0755 |
xfs_bmap | File | 638 B | 0755 |
xfs_copy | File | 394.31 KB | 0755 |
xfs_db | File | 667.63 KB | 0755 |
xfs_estimate | File | 10.01 KB | 0755 |
xfs_freeze | File | 767 B | 0755 |
xfs_fsr | File | 30.02 KB | 0755 |
xfs_growfs | File | 382.27 KB | 0755 |
xfs_info | File | 472 B | 0755 |
xfs_io | File | 130.93 KB | 0755 |
xfs_logprint | File | 414.27 KB | 0755 |
xfs_mdrestore | File | 370.28 KB | 0755 |
xfs_metadump | File | 747 B | 0755 |
xfs_mkfile | File | 1007 B | 0755 |
xfs_ncheck | File | 650 B | 0755 |
xfs_quota | File | 86.01 KB | 0755 |
xfs_rtcp | File | 13.99 KB | 0755 |
zerofree | File | 9.99 KB | 0755 |
zic | File | 54.14 KB | 0755 |