1

Apparmor's aa-status command reports the status of apparmor, but what do the double and triple slashes mean or do in the list of profiles reported?

For example, what is the double slash (//) in /usr/bin/evince-previewer//sanitized_helper for?

Here is a typical aa-status output:

# aa-status apparmor module is loaded. 67 profiles are loaded. 50 profiles are in enforce mode. /snap/core/13886/usr/lib/snapd/snap-confine /snap/core/13886/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince//sanitized_helper /usr/bin/freshclam /usr/bin/man /usr/bin/pidgin /usr/bin/pidgin//sanitized_helper /usr/bin/totem /usr/bin/totem-audio-preview /usr/bin/totem-video-thumbnailer /usr/bin/totem//sanitized_helper /usr/lib/cups/backend/cups-pdf /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/lib/telepathy/mission-control-5 /usr/lib/telepathy/telepathy-* /usr/lib/telepathy/telepathy-*//pxgsettings /usr/lib/telepathy/telepathy-*//sanitized_helper /usr/lib/telepathy/telepathy-ofono /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/mysqld-akonadi /usr/sbin/mysqld-akonadi///usr/sbin/mysqld /usr/sbin/ntpd apt-cacher-ng lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.core snap-update-ns.snap-store snap.core.hook.configure snap.snap-store.hook.configure snap.snap-store.snap-store snap.snap-store.ubuntu-software snap.snap-store.ubuntu-software-local-file tcpdump thunderbird thunderbird//browser_java thunderbird//browser_openjdk thunderbird//gpg thunderbird//sanitized_helper 17 profiles are in complain mode. /usr/bin/irssi /usr/sbin/dnsmasq /usr/sbin/dnsmasq//libvirt_leaseshelper avahi-daemon identd klogd mdnsd nmbd nscd ping smbd smbldap-useradd smbldap-useradd///etc/init.d/nscd syslog-ng syslogd thunderbird///opt/firefox/firefox-bin traceroute 16 processes have profiles defined. 7 processes are in enforce mode. /usr/bin/evince (12497) /usr/bin/freshclam (1328) /usr/sbin/cups-browsed (128117) /usr/sbin/cupsd (128098) /usr/sbin/ntpd (1369) /usr/lib/thunderbird/thunderbird-bin (211830) thunderbird /usr/lib/thunderbird/thunderbird-bin (211927) thunderbird 9 processes are in complain mode. /usr/sbin/dnsmasq (828) /usr/sbin/avahi-daemon (703) avahi-daemon /usr/sbin/avahi-daemon (740) avahi-daemon /usr/sbin/nmbd (1332) nmbd /usr/sbin/nscd (716) nscd /usr/sbin/smbd (1531) smbd /usr/sbin/smbd (1705) smbd /usr/sbin/smbd (1706) smbd /usr/sbin/smbd (1708) smbd 0 processes are unconfined but have a profile defined.
Improve this question
2
  • 2
    @Quasímodo, no, we're talking of apparmor profiles here, not file paths. Here it's more like the profile of an evince process that has transitioned to a sanitized_helper subprofile after having executed a helper application. See the "Directed profile transitions" in apparmor.d(5) Commented Nov 20, 2022 at 11:50
  • 1
    See github.com/torvalds/linux/blob/v6.0/security/apparmor/… Commented Nov 20, 2022 at 12:01

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.