From 24b4df33bdef304b40d17f23efab2bbecb942340 Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Wed, 20 Jul 2016 19:38:31 +0100
Subject: [PATCH] session-lockdown: provide better diagnostics

Reviewed-by: Mathieu Duponchelle <mathieu.duponchelle@opencreed.com>
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3638
---
 apparmor/session-lockdown/no-deny | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/apparmor/session-lockdown/no-deny b/apparmor/session-lockdown/no-deny
index 01a2a6a..ebc9fa7 100755
--- a/apparmor/session-lockdown/no-deny
+++ b/apparmor/session-lockdown/no-deny
@@ -97,7 +97,10 @@ def get_processes(profiles):
                         # keep only unconfined processes that have a profile defined
                         processes[filename] = { 'profile' : exe,
                                                 'mode' : 'unconfined' }
-                    elif p.strip() != 'unconfined':
+                    elif p.strip() == 'unconfined':
+                        # this is fine: something like process 1 (systemd)
+                        print('# unconfined process {!r} {!r} has no profile, ignoring'.format(filename, exe))
+                    else:
                         not_ok('process {} {!r} context {!r} could not be '
                                'parsed'.format(filename, exe, p))
             except:
-- 
GitLab