In some cases (if profiles in complain and enforce mode are loaded), the
`i` loop runs more than once, which also means `j == 0` is true in the
middle of the json. This causes invalid json.
This patch fixes this.
This is a regression related to 22aa9b6161
/ https://gitlab.com/apparmor/apparmor/-/merge_requests/964 /
https://gitlab.com/apparmor/apparmor/-/issues/295
which fixed another case of invalid json if a process was unconfined
while having a profile defined.
Note: I also tested this patch for the "unconfined, but has a profile
defined" case to ensure it doesn't break what
22aa9b6161 fixed.
To emphasize that the
--mode
--processs
--profiles
--pid
options are filters rename them to
--filter.mode
--filter.processs
--filter.profiles
--filter.pid
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the basic infrastructure for adding regex based filters and
allow filtering process and profiles by mode based on a user supplied
filter.
Signed-off-by: John Johansen <john.johansen@canonical.com>
So that the user can control the set of data being shown add a --show
flag. Currently it allows showing
all
profiles
processes
Signed-off-by: John Johansen <john.johansen@canonical.com>
In preparation for new options and controls, split detailed_output()
into detailed_profiles() and detailed_processes() and This switch the
output processing to one larger pass that uses option flags.
This doesn't change current behavior and is in not as clean as the
current code for the current option set. However it will allow us to
easily add new options in one place and have them apply correctly
every where.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make it so the output options that count profiles and processes can
be output to a file.
This does not add a user option to do so
Signed-off-by: John Johansen <john.johansen@canonical.com>
For detailed output split up where output is going from whether json
is being produced.
This also allows none json output to go to a file.
Signed-off-by: John Johansen <john.johansen@canonical.com>
As reported in issue #295, the json output from aa-status would be invalid if
there were profiles defined for processes that were unconfined. Fix this by
ensuring the json for the processes array is closed properly.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
This fixes a crash when a profile name contains a \n character which
breaks profile name parsing. The fix is minimal in that it ignores
the bad profile name and continues processing.
Ideally this name would not exist and is indicative of a bug in the kernel.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/211
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/824
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
add limits.h
aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'?
| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char));
Signed-off-by: Armin Kuster <akuster808@gmail.com>
aa_status.c: In function ‘get_processes’:
aa_status.c:236:10: warning: unused variable ‘len’ [-Wunused-variable]
size_t len = 0;
^~~
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/561
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Fix signed/unsigned comparison warnings, and silence unused parameter
warnings due to the "cleverness" of the function pointer array and
wanting to print out the command as invoked in the usage statement.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
https://gitlab.com/apparmor/apparmor/-/merge_requests/517
Separate out the aa-status json version info out from being a magic
element embedded in a string in the middle of the json emitter, and move
it to an early location, along with a comment to edit it whenthe format
changes.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
https://gitlab.com/apparmor/apparmor/-/merge_requests/517
aa-status output has changed slightly to account for the newer profile
modes. This means the json version needs to be bumped so consumers
can detect the change.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/508
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
AppArmor 3 exposes kernel support for the kill and unconfined profile
modes. Make sure aa-status has basic support for these modes.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Processes that are confined by multiple profiles in a stack can have
more than one profile mode applied. Allow aa-status to report
processes that are in a mixed profile confinement mode.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Switch aa-status over to using the libapparmor proc accessor. This
will ensure that aa-status works correctly under LSM stacking kernels,
and if other new interfaces are added in the future.
Also at the same time switch over the splitting of context's to
the library provided aa_splitcon() fn.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
