Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

aa_getcon(2) [linux man page]

AA_GETCON(2)							     AppArmor							      AA_GETCON(2)

NAME

       aa_getprocattr_raw, aa_getprocattr - read and parse procattr data

       aa_getcon, aa_gettaskcon - get task confinement information

       aa_getpeercon - get the confinement of a socket's other end (peer)

SYNOPSIS

       #include <sys/apparmor.h>

       int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,		       char **mode);

       int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);

       int aa_gettaskcon(pid_t target, char **con, char **mode);

       int aa_getcon(char **con, char **mode);

       int aa_getpeercon(int fd, char **con);

       Link with -lapparmor when compiling.

DESCRIPTION

       The aa_getcon function gets the current AppArmor confinement context for the current task.  The confinement context is usually just the
       name of the AppArmor profile restricting the task, but it may include the profile namespace or in some cases a set of profile names (known
       as a stack of profiles).  The returned string *con should be freed using free().

       The aa_gettaskcon function is like the aa_getcon function except it will work for any arbitrary task in the system.

       The aa_getpeercon function is similar to that of aa_gettaskcon except that it returns the confinement information for task on the other end
       of a socket connection.

       The aa_getprocattr function is the backend for the aa_getcon and aa_gettaskcon functions and handles the reading and parsing of the
       confinement data from different arbitrary attr files and returns the processed results in an allocated buffer.

       The aa_getprocattr_raw() is the backend for the aa_getprocattr function and does not handle buffer allocation.

RETURN VALUE

       On success size of data placed in the buffer is returned, this includes the mode if present and any terminating characters. On error, -1 is
       returned, and errno(3) is set appropriately.

ERRORS

       EINVAL
	   The apparmor kernel module is not loaded or the communication via the /proc/*/attr/file did not conform to protocol.

       ENOMEM
	   Insufficient kernel memory was available.

       EACCES
	   Access to the specified file/task was denied.

       ENOENT
	   The specified file/task does not exist or is not visible.

       ERANGE
	   The confinement data is to large to fit in the supplied buffer.

BUGS

       None known. If you find any, please report them at <http://https://bugs.launchpad.net/apparmor/+filebug>.

SEE ALSO

       apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2) and <http://wiki.apparmor.net>.

AppArmor 2.7.103						    2012-06-28							      AA_GETCON(2)

Check Out this Related Man Page

AA-STATUS(8)							     AppArmor							      AA-STATUS(8)

NAME

       aa-status - display various information about the current AppArmor policy.

SYNOPSIS

       aa-status [option]

DESCRIPTION

       aa-status will report various aspects of the current state of AppArmor confinement. By default, it displays the same information as if the
       --verbose argument were given. A sample of what this looks like is:

	 apparmor module is loaded.
	 110 profiles are loaded.
	 102 profiles are in enforce mode.
	 8 profiles are in complain mode.
	 Out of 129 processes running:
	 13 processes have profiles defined.
	 8 processes have profiles in enforce mode.
	 5 processes have profiles in complain mode.

       Other argument options are provided to report individual aspects, to support being used in scripts.

OPTIONS

       aa-status accepts only one argument at a time out of:

       --enabled
	   returns error code if AppArmor is not enabled.

       --profiled
	   displays the number of loaded AppArmor policies.

       --enforced
	   displays the number of loaded enforcing AppArmor policies.

       --complaining
	   displays the number of loaded non-enforcing AppArmor policies.

       --verbose
	   displays multiple data points about loaded AppArmor policy set (the default action if no arguments are given).

       --help
	   displays a short usage statement.

BUGS

       aa-status must be run as root to read the state of the loaded policy from the apparmor module. It uses the /proc filesystem to determine
       which processes are confined and so is susceptible to race conditions.

       Upon exiting, aa-status will set its return value to the following values:

       0   if apparmor is enabled and policy is loaded.

       1   if apparmor is not enabled/loaded.

       2   if apparmor is enabled but no policy is loaded.

       3   if the apparmor control files aren't available under /sys/kernel/security/.

       4   if the user running the script doesn't have enough privileges to read the apparmor control files.

       If you find any additional bugs, please report them at <http://https://bugs.launchpad.net/apparmor/+filebug>.

SEE ALSO

       apparmor(7), apparmor.d(5), and <http://wiki.apparmor.net>.

AppArmor 2.7.103						    2012-06-28							      AA-STATUS(8)
Man Page