.\" -*- mode: troff; coding: utf-8 -*- .\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. .ie n \{\ . ds C` "" . ds C' "" 'br\} .el\{\ . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "AA-UNCONFINED 8" .TH AA-UNCONFINED 8 2024-08-15 "AppArmor 4.0.3" AppArmor .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME aa\-unconfined \- output a list of processes with tcp or udp ports that do not have AppArmor profiles loaded .SH SYNOPSIS .IX Header "SYNOPSIS" \&\fBaa-unconfined [\fR\f(BI\-\-paranoid\fR\fB] [\fR\f(BI\-\-with\-ss\fR\fB | \fR\f(BI\-\-with\-netstat\fR\fB]\fR .SH OPTIONS .IX Header "OPTIONS" .IP \fB\-\-paranoid\fR 4 .IX Item "--paranoid" Displays all processes from \fI/proc\fR filesystem with tcp or udp ports that do not have AppArmor profiles loaded. .IP \fB\-\-with\-ss\fR 4 .IX Item "--with-ss" Use the \fBss\fR\|(8) command to find processes listening on network sockets (the default). .IP \fB\-\-with\-netstat\fR 4 .IX Item "--with-netstat" Use the \fBnetstat\fR\|(8) command to find processes listening on network sockets. This is also what aa-unconfined will fall back to when \fBss\fR\|(8) is not available. .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBaa-unconfined\fR will use \fBnetstat\fR\|(8) to determine which processes have open network sockets and do not have AppArmor profiles loaded into the kernel. .SH BUGS .IX Header "BUGS" \&\fBaa-unconfined\fR must be run as root to retrieve the process executable link from the \fI/proc\fR filesystem. This program is susceptible to race conditions of several flavours: an unlinked executable will be mishandled; an executable started before an AppArmor profile is loaded will not appear in the output, despite running without confinement; a process that dies between the \fBnetstat\fR\|(8) and further checks will be mishandled. This program only lists processes using TCP and UDP. In short, this program is unsuitable for forensics use and is provided only as an aid to profiling all network-accessible processes in the lab. .PP If you find any bugs, please report them at . .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBss\fR\|(8), \fBnetstat\fR\|(8), \fBapparmor\fR\|(7), \fBapparmor.d\fR\|(5), \fBaa_change_hat\fR\|(2), and .