mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

utils/aa-unconfined: add support to list processes with any network sockets

Browse source 
Add the ability to list applications that are unconfined and have
any open network socket open, both listening and non-listening.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2024-07-07 04:34:27 -07:00
parent 782f9802f0
commit e67a5ae05c
2 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
utils/aa-unconfined
View file

@ -30,7 +30,7 @@ _ = init_translation() # setup module translations
parser = argparse.ArgumentParser(description=_("Lists unconfined processes having tcp or udp ports")) parser = argparse.ArgumentParser(description=_("Lists unconfined processes having tcp or udp ports"))
parser.add_argument("--paranoid", action="store_true", help=_("scan all processes")) parser.add_argument("--paranoid", action="store_true", help=_("scan all processes"))
parser.add_argument("--show", default=None, type=str, help=_("all | server | client")) parser.add_argument("--show", default=None, type=str, help=_("all | network | server | client"))
parser.add_argument('--configdir', type=str, help=argparse.SUPPRESS) parser.add_argument('--configdir', type=str, help=argparse.SUPPRESS)
bin_group = parser.add_mutually_exclusive_group() bin_group = parser.add_mutually_exclusive_group()
bin_group.add_argument("--with-ss", action='store_true', help=_("use ss(8) to find listening processes (default)")) bin_group.add_argument("--with-ss", action='store_true', help=_("use ss(8) to find listening processes (default)"))
@ -45,7 +45,7 @@ if args.paranoid:
raise AppArmorException(_("Arguments --paranoid and --show=%s conflict") % args.show) raise AppArmorException(_("Arguments --paranoid and --show=%s conflict") % args.show)
show = 'all' show = 'all'
if args.show is not None: if args.show is not None:
if not args.show or args.show not in ['all', 'server', 'client']: if not args.show or args.show not in ['all', 'network', 'server', 'client']:
raise AppArmorException(_("Argument --show invalid value '%s'") % args.show) raise AppArmorException(_("Argument --show invalid value '%s'") % args.show)
show = args.show show = args.show
@ -60,6 +60,8 @@ def map_show_to_flags(show):
flags = '-nlp' flags = '-nlp'
if show == 'client': if show == 'client':
flags = '-np' flags = '-np'
elif show == 'network':
flags = '-nap'
return flags return flags

4
utils/aa-unconfined.pod
View file

@ -39,12 +39,14 @@ Displays all processes visible from F</proc> filesystem, and whether they
are confined by a profile or "not confined". Equivalent to are confined by a profile or "not confined". Equivalent to
I<--show=all>. I<--show=all>.
=item B<--show=(all|server|client)> =item B<--show=(all|network|server|client)>
Determines the set of processes to be displayed. Determines the set of processes to be displayed.
I<--show=all> show all processes is equivalent to I<--paranoid> I<--show=all> show all processes is equivalent to I<--paranoid>
I<--show=network> show only process with any sockets open.
I<--show=server> show only processes with listening sockets open. This is I<--show=server> show only processes with listening sockets open. This is
the B<default> value if I<--show=> or I<--paranoid> are not specified. the B<default> value if I<--show=> or I<--paranoid> are not specified.