From 2a785d642347d49d690f24bdabfff8f56b2db932 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sun, 7 Jul 2024 05:16:37 -0700 Subject: [PATCH] utils/aa-unconfined: add a --short option Contrary to what the name would imply aa-unconfined displays info for both confined and unconfined processes. Add a --short option that only output processes that are not confined. Eg. $ ./utils/aa-unconfined 17192 /snap/chromium/2890/usr/lib/chromium-browser/chrome (/snap/chromium/2890/usr/lib/chromium-browser/chrome --password-store=basic --disable-features=TFLiteLanguageDetectionEnabled) confined by 'snap.chromium.chromium (enforce)' 17395 /snap/chromium/2890/usr/lib/chromium-browser/chrome (/snap/chromium/2890/usr/lib/chromium-browser/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --crashpad-handler-pid=17337 --enable-crash-reporter=,snap --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,16674663885832976354,18417931519279121981,262144 --disable-features=TFLiteLanguageDetectionEnabled --variations-seed-version) confined by 'snap.chromium.chromium (enforce)' 17981 /snap/firefox/4451/usr/lib/firefox/firefox confined by 'snap.firefox.firefox (enforce)' 1353664 /tmp/.mount_OrcaSl7G1va5/bin/orca-slicer not confined is trimmed to $ ./utils/aa-unconfined --short 1353664 /tmp/.mount_OrcaSl7G1va5/bin/orca-slicer not confined Signed-off-by: John Johansen --- utils/aa-unconfined | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/utils/aa-unconfined b/utils/aa-unconfined index 48915b8ce..0e4c963a2 100755 --- a/utils/aa-unconfined +++ b/utils/aa-unconfined @@ -31,6 +31,7 @@ _ = init_translation() # setup module translations parser = argparse.ArgumentParser(description=_("Lists unconfined processes having tcp or udp ports")) parser.add_argument("--paranoid", action="store_true", help=_("scan all processes")) parser.add_argument("--show", default=None, type=str, help=_("all | network | server | client")) +parser.add_argument("--short", action="store_true", help=_("only display processes that are unconfined")) parser.add_argument('--configdir', type=str, help=argparse.SUPPRESS) bin_group = parser.add_mutually_exclusive_group() bin_group.add_argument("--with-ss", action='store_true', help=_("use ss(8) to find listening processes (default)")) @@ -126,7 +127,7 @@ def read_proc_current(filename): with open_file_read(filename) as current: for line in current: line = line.strip() - if line.endswith(' (complain)', 1) or line.endswith(' (enforce)', 1) or line.endswith(' (kill)', 1) or line.endswith(' (user)', 1): # enforce at least one char as profile name + if line.endswith(' (complain)', 1) or line.endswith(' (enforce)', 1) or line.endswith(' (kill)', 1) or line.endswith(' (user)', 1) or line.endswith(' (mixed)', 1): # enforce at least one char as profile name # intentionally not checking for '(unconfined)', because $binary confined by $profile (unconfined) would look very confusing attr = line except OSError: @@ -189,7 +190,7 @@ for pid in sorted(map(int, pids)): if pname and pname[-1] == ')': pname = ' ' + pname ui.UI_Info(_("%(pid)s %(program)s%(pname)s not confined") % {'pid': pid, 'program': prog, 'pname': pname}) - else: + elif not args.short: if regex_interpreter.search(prog): cmdline = re.sub(r"\0", " ", cmdline) cmdline = re.sub(r"\s+$", "", cmdline).strip()