This file is indexed.

/usr/sbin/aa-remove-unknown is in apparmor 2.11.0-3+deb9u2.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
#!/bin/sh
# ----------------------------------------------------------------------
#    Copyright (c) 2017 Canonical Ltd. (All rights reserved)
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program. If not, see <http://www.gnu.org/licenses/>.
# ----------------------------------------------------------------------

APPARMOR_FUNCTIONS=/lib/apparmor/functions
APPARMORFS=/sys/kernel/security/apparmor
PROFILES_IFACE="${APPARMORFS}/profiles"
REMOVE="${APPARMORFS}/.remove"

DRY_RUN=0

. $APPARMOR_FUNCTIONS

usage() {
	local progname="$1"
	local rc="$2"
	local msg="usage: ${progname} [options]\n
Remove profiles unknown to the system

Options:
 -h, --help	Show this help message and exit
 -n		Dry run; don't remove profiles"

	if [ "$rc" -ne 0 ] ; then
		echo "$msg" 1>&2
	else
		echo "$msg"
	fi

	exit "$rc"
}

if [ "$#" -gt 1 ] ; then
	usage "$0" 1
elif [ "$#" -eq 1 ] ; then
	if [ "$1" = "-h" -o "$1" = "--help" ] ; then
		usage "$0" 0
	elif [ "$1" = "-n" ] ; then
		DRY_RUN=1
	else
		usage "$0" 1
	fi
fi


# We can't use a -r test here because while $PROFILES_IFACE is world-readable,
# apparmorfs may still return EACCES from open()
#
# We have to do this check because error checking awk's getline() below is
# tricky and, as is, results in an infinite loop when apparmorfs returns an
# error from open().
if ! IFS= read line < "$PROFILES_IFACE" ; then
	echo "ERROR: Unable to read apparmorfs profiles file" 1>&2
	exit 1
elif [ ! -w "$REMOVE" ] ; then
	echo "ERROR: Unable to write to apparmorfs remove file" 1>&2
	exit 1
fi

# Clean out running profiles not associated with the current profile
# set, excluding the libvirt dynamically generated profiles.
aa_configured=$(mktemp -t aa-XXXXXX)
configured_profile_names > "$aa_configured"
if [ "$?" -ne 0 ] ; then
	echo "ERROR: Unable to enumerate the known profiles" 1>&2
	rm -f "$aa_configured" "$aa_loaded"
	exit 1
fi

aa_loaded=$(mktemp -t aa-XXXXXX)
running_profile_names > "$aa_loaded" || true
if [ "$?" -ne 0 ] ; then
	echo "ERROR: Unable to enumerate the running profiles" 1>&2
	rm -f "$aa_configured" "$aa_loaded"
	exit 1
fi

LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
	if [ "$DRY_RUN" -ne 0 ]; then
		echo "Would remove '${profile}'"
	else
		echo "Removing '${profile}'"
		unload_profile "$profile"
	fi
done
ret="$?"

rm -f "$aa_configured" "$aa_loaded"

# will not catch all errors, but still better than nothing
exit $ret