You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi.
Please add apparmor (http://apparmor.wiki.kernel.org/) status reading support
(at least):
# cat /proc/29752/attr/current
/usr/sbin/httpd.prefork//HAT_owner_22753 (enforce)
which means that this process is using apparmor profile
"/usr/sbin/httpd.prefork" and hat "HAT_owner_22753" in enforce mode.
Other possibilities of current are for example:
"unconfined" - so no policy loaded for the process
"/usr/sbin/httpd.prefork (enforce)" - only profile used, without apparmor
activated (process can change its hats while running)
That info can be read from /proc or using libapparmor library:
https://launchpad.net/apparmor/2.8/2.8.3/+download/apparmor-2.8.3.tar.gz
Mmm... I didn't know about this.
My first impression is that this is too specific to belong into psutil.
Anyway, what API do you think this should have?
According to your example it seems this should return a (file, user) tuple or something.
http://manpages.ubuntu.com/manpages/saucy/man2/aa_getcon.2.html and
aa_gettaskcon is what interests us.
Such code:
#include <stdio.h>
#include <sys/apparmor.h>
int main() {
char *b1, *b2;
pid_t i;
for (i=0; i<100000; i++) {
if (aa_gettaskcon(i, &b1, &b2) != -1)
printf("[%s] [%s]\n", b1, b2);
}
}
gets us:
[/usr/sbin/pure-ftpd] [enforce]
[unconfined] [(null)]
[unconfined] [(null)]
[unconfined] [(null)]
[/usr/sbin/httpd.prefork] [enforce]
[/usr/sbin/httpd.prefork//HANDLING_UNTRUSTED_INPUT] [enforce]
so API for this could be tuple (context, mode)
(terms from man page, it's not file, not profile according to man page, it's
context and mode)
Note, on linux with apparmor disabled (# CONFIG_SECURITY_APPARMOR is not set)
you can't access that file:
$ LC_ALL=C cat /proc/4393/attr/current
cat: /proc/4393/attr/current: Invalid argument
apparmor is part of upstream linux kernel, so well... worth considering
supporting it. Same for SELinux tags.
From ar...@maven.pl on February 21, 2014 12:24:36
Original issue: http://code.google.com/p/psutil/issues/detail?id=483
The text was updated successfully, but these errors were encountered: