whyno apparmor check
layer 7: pure function over pre-gathered mac state — reads apparmor profile label from systemstate.mac_state
components
- process check_apparmor(state)
pure function — reads state.mac_state.apparmor. no syscalls at check time.
checks/apparmor.rsstate/mac.rs - decision mac_state.apparmor probe?
checks the probe<apparmorstate> gathered before the check pipeline ran
- degraded degraded: apparmor state not gathered
probe is unknown or inaccessible — apparmor not active, feature not compiled, or gather failed
- decision starts with 'unconfined'?
unconfined subjects bypass all apparmor policy
- pass pass: subject is unconfined
process has no apparmor profile — all access permitted by this layer
- process parse_profile_label() format: 'name (mode)'
parses the profile label string into name and mode components
- decision profile mode?
determines whether the profile is in enforce, complain, or unknown mode
- decision is_metadata()?
metadata ops require capability-rule mediation (chown/fowner/sys_admin), not file access rules
- degraded degraded: enforce mode — rebuild with libapparmor for full policy query
profile is in enforce mode but libapparmor policy query is not available
- degraded degraded: enforce mode — metadata ops require capability rules (chown/fowner/sys_admin)
chmod/chown/setxattr under a confined profile cannot be evaluated without libapparmor capability-rule query
- pass pass with warnings: complain mode
violations are logged but not blocked; deny rules still enforced in complain mode
- degraded degraded: cannot determine mode for profile
profile label parsed but mode string was not recognised