2
# $Id: apparmor_status 10 2006-04-12 20:31:08Z steve-beattie $
3
# ------------------------------------------------------------------
5
# Copyright (C) 2005-2006 Novell/SUSE
7
# This program is free software; you can redistribute it and/or
8
# modify it under the terms of version 2 of the GNU General Public
9
# License published by the Free Software Foundation.
11
# ------------------------------------------------------------------
17
my $confdir = "/etc/apparmor";
19
my $check_enabled = 0;
20
my $count_enforced = 0;
21
my $count_profiled = 0;
22
my $count_complain = 0;
27
'complaining' => \$count_complain,
28
'enabled' => \$check_enabled,
29
'enforced' => \$count_enforced,
30
'profiled' => \$count_profiled,
31
'verbose|v' => \$verbose,
36
print "Usage: $0 [OPTIONS]\n";
37
print "Displays various information about the currently loaded AppArmor policy.\n";
38
print "OPTIONS (one only):\n";
39
print " --enabled returns error code if subdomain not enabled\n";
40
print " --profiled prints the number of loaded policies\n";
41
print " --enforced prints the number of loaded enforcing policies\n";
42
print " --complaining prints the number of loaded non-enforcing policies\n";
43
print " --verbose (default) displays multiple data points about loaded policy set\n";
44
print " --help this message\n";
48
$verbose = 1 if ($count_complain + $check_enabled + $count_enforced + $count_profiled == 0);
49
usage() if $help or ($count_complain + $check_enabled + $count_enforced + $count_profiled + $verbose > 1);
51
sub is_subdomain_loaded() {
52
if(open(MODULES, "/proc/modules")) {
54
return 1 if m/^(subdomain|apparmor)\s+/;
61
sub find_subdomainfs() {
64
if(open(MOUNTS, "/proc/mounts")) {
66
$sd_mountpoint = "$1/apparmor" if m/^\S+\s+(\S+)\s+securityfs\s/ && -e "$1/apparmor";
67
$sd_mountpoint = "$1/subdomain" if m/^\S+\s+(\S+)\s+securityfs\s/ && -e "$1/subdomain";
68
$sd_mountpoint = $1 if m/^\S+\s+(\S+)\s+subdomainfs\s/ && -e "$1";
73
return $sd_mountpoint;
77
my $mountpoint = shift;
82
if (open(PROFILES, "$mountpoint/profiles")) {
85
$enforced++ if m/\(enforce\)$/;
86
$complain++ if m/\(complain\)$/;
90
return ($profiles, $enforced, $complain);
98
if (opendir(PROC, "/proc")) {
100
while (defined($file = readdir(PROC))) {
101
if ($file =~ m/^\d+/ && open(CURRENT, "/proc/$file/attr/current")) {
104
$confined++ if not m/^unconstrained$/;
105
$enforced++ if m/\(enforce\)$/;
106
$complain++ if m/\(complain\)$/;
113
return ($processes, $confined, $enforced, $complain);
116
my $is_loaded = is_subdomain_loaded();
119
print STDERR "apparmor module is not loaded.\n" if $verbose;
123
print "apparmor module is loaded.\n" if $verbose;
125
$sd_mountpoint = find_subdomainfs();
126
if (!$sd_mountpoint) {
127
print STDERR "apparmor filesystem is not mounted.\n" if $verbose;
131
if (! -r "$sd_mountpoint/profiles") {
132
print STDERR "You do not have enough privilege to read the profile set.\n" if $verbose;
136
#print "subdomainfs is at $sd_mountpoint.\n" if $verbose;
143
($profiles, $enforced, $complain) = count_profiles($sd_mountpoint);
145
# we consider the case where no profiles are loaded to be "disabled" as well
146
my $rc = ($profiles == 0) ? 2 : 0;
148
if ($check_enabled) {
152
if ($count_profiled) {
157
if ($count_enforced) {
162
if ($count_complain) {
169
print "$profiles profiles are loaded.\n";
170
print "$enforced profiles are in enforce mode.\n";
171
print "$complain profiles are in complain mode.\n";
174
($processes, $profiles, $enforced, $complain) = count_processes();
177
print "Out of $processes processes running:\n";
178
print "$profiles processes have profiles defined.\n";
179
print "$enforced processes have profiles in enforce mode.\n";
180
print "$complain processes have profiles in complain mode.\n";