aa-unconfined: also read /proc/$pid/attr/apparmor/current

This means moving the code that reads the 'current' file into a new function read_proc_current()Then call that function for both /proc/$pid/attr/apparmor/current (preferred) and /proc/$pid/attr/current (fallback).
2025-03-04 08:24:42 +01:00 · 2020-09-18 13:31:05 +02:00 · 2020-09-18 13:31:05 +02:00 · 5a31e94394
commit 5a31e94394
parent a680c949af
1 changed files with 17 additions and 7 deletions
--- a/utils/aa-unconfined
+++ b/utils/aa-unconfined
@ -99,6 +99,19 @@ def get_pids_netstat(netstat='netstat'):
    return pids


+def read_proc_current(filename):
+    attr = None
+
+    if os.path.exists(filename):
+        with apparmor.common.open_file_read(filename) as current:
+            for line in current:
+                line = line.strip()
+                if line.endswith(' (complain)', 1) or line.endswith(' (enforce)', 1):  # enforce at least one char as profile name
+                    attr = line
+
+    return attr
+
+
 pids = set()
 if paranoid:
    pids = get_all_pids()
@ -112,13 +125,10 @@ for pid in sorted(map(int, pids)):
        prog = os.readlink("/proc/%s/exe" % pid)
    except OSError:
        continue
-    attr = None
-    if os.path.exists("/proc/%s/attr/current" % pid):
-        with apparmor.common.open_file_read("/proc/%s/attr/current" % pid) as current:
-            for line in current:
-                line = line.strip()
-                if line.endswith(' (complain)', 1) or line.endswith(' (enforce)', 1):  # enforce at least one char as profile name
-                    attr = line
+
+    attr = read_proc_current("/proc/%s/attr/apparmor/current" % pid)
+    if not attr:
+        attr = read_proc_current("/proc/%s/attr/current" % pid)

    pname = None
    cmdline = None