/srv/irclogs.ubuntu.com/2022/05/19/#ubuntu-security.txt

sbeattieahasenack: hrm, I wonder if a specialized tool for that might make sense. aa-unconfined was originally intended as a "audit my system for things to consider confining" type tool.16:35
ahasenacksbeattie: I think it does, look at what I did to check if a process was confined16:54
ahasenacksbeattie: https://pastebin.ubuntu.com/p/Z4g8c36ZWM/16:54
ahasenackand I understand there is a case where this isn't enough, when there are no (or there are) stacking lsm modules16:54
sbeattieyeah, the potential cases / logic are more complex than 15 years ago when it was just "look in /proc/pid/attr/current" and it would be good to capture them in one place.16:56
* sbeattie forgets if 'ps -Z` does the right thing in the face of stacking; I think it *should* due to IIRC relying on libapparmor, but it would be worth testing.16:57
sbeattieahasenack: please feel free to open a bug somewhere, the gitlab project would be fine.16:58
ahasenackok16:58
ahasenacksbeattie: filed: https://gitlab.com/apparmor/apparmor/-/issues/23017:11
ubottuIssue 230 in apparmor/apparmor "Tool to check confinement status of a process" [Opened]17:11
jjohansenps -Z does not rely on libapparmor and it doesn't do the right thing when stacking17:16
jjohansenaa-status should do the right thing17:16
sbeattiejjohansen: ah, bummer. 17:30
jjohansennewer LSM stacking patches add a context file17:32
jjohansen/proc/<pid>/attr/context which provides a compound label with \0 separated fields17:32
jjohansenso something like17:32
jjohansen  apparmor=unconfined\0selinux=unconfined_t\0smack=_17:32
jjohansenwhich lets applications that are aware of it get all the values in a single read, and have a unified parsing17:33
jjohansenso as long as we get patches into ps etc to use context when available they will be able to do the right thing17:33
jjohansenbut afaik the userspace side of things is still a big todo17:34

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!