added firejail --apparmor.print and firemon --apparmor

author: netblue30 <netblue30@yahoo.com> 2018-01-24 08:48:50 -0500
committer: netblue30 <netblue30@yahoo.com> 2018-01-24 08:48:50 -0500
commit: 5ebebb1211364a4d7164ad30d021adabf5374d32 (patch)
tree: adcd26d88b059d25e058e19c56dd496c811e1690
parent: apparmor support for --overlay sandboxes (diff)
download: firejail-5ebebb1211364a4d7164ad30d021adabf5374d32.tar.gz
firejail-5ebebb1211364a4d7164ad30d021adabf5374d32.tar.zst
firejail-5ebebb1211364a4d7164ad30d021adabf5374d32.zip
9 files changed, 106 insertions, 2 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9cd89d42c..00e3729d0 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -511,6 +511,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                cpu_print_filter(pid);
                exit(0);
        }
+        else if (strncmp(argv[i], "--apparmor.print=", 12) == 0) {
+                // join sandbox by pid or by name
+                pid_t pid = read_pid(argv[i] + 17);
+                char *pidstr;
+                if (asprintf(&pidstr, "%u", pid) == -1)
+                        errExit("asprintf");
+                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIREMON, "--apparmor", pidstr);
+                free(pidstr);
+                exit(0);
+        }
        else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
                // join sandbox by pid or by name
                pid_t pid = read_pid(argv[i] + 13);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 1106a4389..15b548d20 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -34,6 +34,7 @@ void usage(void) {
        printf("\thome directories.\n");
        printf("    --allusers - all user home directories are visible inside the sandbox.\n");
        printf("    --apparmor - enable AppArmor confinement.\n");
+        printf("    --apparmor.print=name|pid - print apparmor status.\n");
        printf("    --appimage - sandbox an AppImage application.\n");
        printf("    --audit[=test-program] - audit the sandbox.\n");
 #ifdef HAVE_NETWORK
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
index c24bae9ff..326c305d9 100644
--- a/src/firemon/Makefile.in
+++ b/src/firemon/Makefile.in
@@ -6,13 +6,14 @@ VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
 HAVE_GCOV=@HAVE_GCOV@
+HAVE_APPARMOR=@HAVE_APPARMOR@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_APPARMOR) $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
 HAVE_GCOV=@HAVE_GCOV@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c
new file mode 100644
index 000000000..0fe287e8f
--- /dev/null
+++ b/src/firemon/apparmor.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2014-2018 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firemon.h"
+#include <sys/apparmor.h>
+#ifdef HAVE_APPARMOR
+static void print_apparmor(int pid) {
+        char *label = NULL;
+        char *mode = NULL;
+        int rv = aa_gettaskcon(pid, &label, &mode);
+        if (rv != -1) {
+                printf("  AppArmor: ");
+                if (label)
+                        printf("%s ", label);
+                if (mode)
+                        printf("%s", mode);
+                printf("\n");
+        }
+}
+void apparmor(pid_t pid, int print_procs) {
+        pid_read(pid);
+        // print processes
+        int i;
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 1) {
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, arg_nowrap);
+                        int child = find_child(i);
+                        if (child != -1)
+                                print_apparmor(child);
+                }
+        }
+        printf("\n");
+}
+#else
+void apparmor(pid_t pid, int print_procs) {
+        (void) pid;
+        (void) print_procs;
+        printf("AppArmor support not available\n");
+}
+#endif
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 44e2b8687..54f0c5fc9 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -37,6 +37,7 @@ static int arg_x11 = 0;
 static int arg_top = 0;
 static int arg_list = 0;
 static int arg_netstats = 0;
+static int arg_apparmor = 0;
 int arg_nowrap = 0;
 static struct termios tlocal;   // startup terminal setting
@@ -178,6 +179,8 @@ int main(int argc, char **argv) {
                        arg_route = 1;
                else if (strcmp(argv[i], "--arp") == 0)
                        arg_arp = 1;
+                else if (strcmp(argv[i], "--apparmor") == 0)
+                        arg_apparmor = 1;
                else if (strncmp(argv[i], "--name=", 7) == 0) {
                        char *name = argv[i] + 7;
@@ -238,7 +241,7 @@ int main(int argc, char **argv) {
        }
        // if --name requested without other options, print all data
-        if (pid && !arg_cpu && !arg_seccomp && !arg_caps &&
+        if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor &&
            !arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
                arg_tree = 1;
                arg_cpu = 1;
@@ -249,6 +252,7 @@ int main(int argc, char **argv) {
                arg_interface = 1;
                arg_route = 1;
                arg_arp = 1;
+                arg_apparmor = 1;
        }
        // cumulative options
@@ -265,6 +269,10 @@ int main(int argc, char **argv) {
                caps((pid_t) pid, print_procs);
                print_procs = 0;
        }
+        if (arg_apparmor) {
+                apparmor((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
        if (arg_cgroup) {
                cgroup((pid_t) pid, print_procs);
                print_procs = 0;
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index a03aa85e5..2e0466638 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -83,4 +83,7 @@ void netstats(void);
 // x11.c
 void x11(pid_t pid, int print_procs);
+//apparmor.c
+void apparmor(pid_t pid, int print_procs);
 #endif
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 9d3babf55..617f4dacd 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -27,6 +27,7 @@ void usage(void) {
        printf("are also being monitored. On Grsecurity systems only root user\n");
        printf("can run this program.\n\n");
        printf("Options:\n");
+        printf("\t--apparmor - print AppArmor confinement status for each sandbox.\n\n");
        printf("\t--arp - print ARP table for each sandbox.\n\n");
        printf("\t--caps - print capabilities configuration for each sandbox.\n\n");
        printf("\t--cgroup - print control group information for each sandbox.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1a769176c..8704e53b3 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -111,6 +111,21 @@ $ firejail --appimage krita-3.0-x86_64.appimage
 $ firejail --appimage --private krita-3.0-x86_64.appimage
 .br
 $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
+.TP
+\fB\-\-apparmor.print=name|pid
+Print the AppArmor confinement status for the sandbox identified by name or by PID.
+.br
+.br
+Example:
+.br
+$ firejail \-\-apparmor.print=browser
+.br
+5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr
+.br
+  AppArmor: firejail-default enforce
 .TP
 \fB\-\-audit
 Audit the sandbox, see \fBAUDIT\fR section for more details.
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 957a224c6..4827bbbeb 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -10,6 +10,9 @@ these processes are also being monitored. On Grsecurity systems only root user
 can run this program.
 .SH OPTIONS
 .TP
+\fB\-\-apparmor
+Print AppArmor confinement status for each sandbox.
+.TP
 \fB\-\-arp
 Print ARP table for each sandbox.
 .TP
author	netblue30 <netblue30@yahoo.com>	2018-01-24 08:48:50 -0500
committer	netblue30 <netblue30@yahoo.com>	2018-01-24 08:48:50 -0500
commit	5ebebb1211364a4d7164ad30d021adabf5374d32 (patch)
tree	adcd26d88b059d25e058e19c56dd496c811e1690
parent	apparmor support for --overlay sandboxes (diff)
download	firejail-5ebebb1211364a4d7164ad30d021adabf5374d32.tar.gz firejail-5ebebb1211364a4d7164ad30d021adabf5374d32.tar.zst firejail-5ebebb1211364a4d7164ad30d021adabf5374d32.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index 9cd89d42c..00e3729d0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -511,6 +511,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
511	cpu_print_filter(pid);	511	cpu_print_filter(pid);
512	exit(0);	512	exit(0);
513	}	513	}
		514	else if (strncmp(argv[i], "--apparmor.print=", 12) == 0) {
		515	// join sandbox by pid or by name
		516	pid_t pid = read_pid(argv[i] + 17);
		517	char *pidstr;
		518	if (asprintf(&pidstr, "%u", pid) == -1)
		519	errExit("asprintf");
		520	sbox_run(SBOX_USER\| SBOX_CAPS_NONE \| SBOX_SECCOMP, 3, PATH_FIREMON, "--apparmor", pidstr);
		521	free(pidstr);
		522	exit(0);
		523	}
514	else if (strncmp(argv[i], "--caps.print=", 13) == 0) {	524	else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
515	// join sandbox by pid or by name	525	// join sandbox by pid or by name
516	pid_t pid = read_pid(argv[i] + 13);	526	pid_t pid = read_pid(argv[i] + 13);


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1106a4389..15b548d20 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -34,6 +34,7 @@ void usage(void) {
34	printf("\thome directories.\n");	34	printf("\thome directories.\n");
35	printf(" --allusers - all user home directories are visible inside the sandbox.\n");	35	printf(" --allusers - all user home directories are visible inside the sandbox.\n");
36	printf(" --apparmor - enable AppArmor confinement.\n");	36	printf(" --apparmor - enable AppArmor confinement.\n");
		37	printf(" --apparmor.print=name\|pid - print apparmor status.\n");
37	printf(" --appimage - sandbox an AppImage application.\n");	38	printf(" --appimage - sandbox an AppImage application.\n");
38	printf(" --audit[=test-program] - audit the sandbox.\n");	39	printf(" --audit[=test-program] - audit the sandbox.\n");
39	#ifdef HAVE_NETWORK	40	#ifdef HAVE_NETWORK


diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in index c24bae9ff..326c305d9 100644 --- a/src/firemon/Makefile.in +++ b/src/firemon/Makefile.in
@@ -6,13 +6,14 @@ VERSION=@PACKAGE_VERSION@
6	NAME=@PACKAGE_NAME@	6	NAME=@PACKAGE_NAME@
7	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@	7	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
8	HAVE_GCOV=@HAVE_GCOV@	8	HAVE_GCOV=@HAVE_GCOV@
		9	HAVE_APPARMOR=@HAVE_APPARMOR@
9	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@	10	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
10		11
11	H_FILE_LIST = $(sort $(wildcard *.[h]))	12	H_FILE_LIST = $(sort $(wildcard *.[h]))
12	C_FILE_LIST = $(sort $(wildcard *.c))	13	C_FILE_LIST = $(sort $(wildcard *.c))
13	OBJS = $(C_FILE_LIST:.c=.o)	14	OBJS = $(C_FILE_LIST:.c=.o)
14	BINOBJS = $(foreach file, $(OBJS), $file)	15	BINOBJS = $(foreach file, $(OBJS), $file)
15	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security	16	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_APPARMOR) $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
16	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now	17	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
17	HAVE_GCOV=@HAVE_GCOV@	18	HAVE_GCOV=@HAVE_GCOV@
18	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@	19	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@


diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c new file mode 100644 index 000000000..0fe287e8f --- /dev/null +++ b/src/firemon/apparmor.c
@@ -0,0 +1,62 @@
		1	/*
		2	* Copyright (C) 2014-2018 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "firemon.h"
		21	#include <sys/apparmor.h>
		22
		23	#ifdef HAVE_APPARMOR
		24	static void print_apparmor(int pid) {
		25	char *label = NULL;
		26	char *mode = NULL;
		27	int rv = aa_gettaskcon(pid, &label, &mode);
		28	if (rv != -1) {
		29	printf(" AppArmor: ");
		30	if (label)
		31	printf("%s ", label);
		32	if (mode)
		33	printf("%s", mode);
		34	printf("\n");
		35	}
		36	}
		37
		38	void apparmor(pid_t pid, int print_procs) {
		39	pid_read(pid);
		40
		41	// print processes
		42	int i;
		43	for (i = 0; i < max_pids; i++) {
		44	if (pids[i].level == 1) {
		45	if (print_procs \|\| pid == 0)
		46	pid_print_list(i, arg_nowrap);
		47	int child = find_child(i);
		48	if (child != -1)
		49	print_apparmor(child);
		50	}
		51	}
		52	printf("\n");
		53	}
		54
		55	#else
		56
		57	void apparmor(pid_t pid, int print_procs) {
		58	(void) pid;
		59	(void) print_procs;
		60	printf("AppArmor support not available\n");
		61	}
		62	#endif


diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 44e2b8687..54f0c5fc9 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c
@@ -37,6 +37,7 @@ static int arg_x11 = 0;
37	static int arg_top = 0;	37	static int arg_top = 0;
38	static int arg_list = 0;	38	static int arg_list = 0;
39	static int arg_netstats = 0;	39	static int arg_netstats = 0;
		40	static int arg_apparmor = 0;
40	int arg_nowrap = 0;	41	int arg_nowrap = 0;
41		42
42	static struct termios tlocal; // startup terminal setting	43	static struct termios tlocal; // startup terminal setting
@@ -178,6 +179,8 @@ int main(int argc, char **argv) {
178	arg_route = 1;	179	arg_route = 1;
179	else if (strcmp(argv[i], "--arp") == 0)	180	else if (strcmp(argv[i], "--arp") == 0)
180	arg_arp = 1;	181	arg_arp = 1;
		182	else if (strcmp(argv[i], "--apparmor") == 0)
		183	arg_apparmor = 1;
181		184
182	else if (strncmp(argv[i], "--name=", 7) == 0) {	185	else if (strncmp(argv[i], "--name=", 7) == 0) {
183	char *name = argv[i] + 7;	186	char *name = argv[i] + 7;
@@ -238,7 +241,7 @@ int main(int argc, char **argv) {
238	}	241	}
239		242
240	// if --name requested without other options, print all data	243	// if --name requested without other options, print all data
241	if (pid && !arg_cpu && !arg_seccomp && !arg_caps &&	244	if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor &&
242	!arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) {	245	!arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
243	arg_tree = 1;	246	arg_tree = 1;
244	arg_cpu = 1;	247	arg_cpu = 1;
@@ -249,6 +252,7 @@ int main(int argc, char **argv) {
249	arg_interface = 1;	252	arg_interface = 1;
250	arg_route = 1;	253	arg_route = 1;
251	arg_arp = 1;	254	arg_arp = 1;
		255	arg_apparmor = 1;
252	}	256	}
253		257
254	// cumulative options	258	// cumulative options
@@ -265,6 +269,10 @@ int main(int argc, char **argv) {
265	caps((pid_t) pid, print_procs);	269	caps((pid_t) pid, print_procs);
266	print_procs = 0;	270	print_procs = 0;
267	}	271	}
		272	if (arg_apparmor) {
		273	apparmor((pid_t) pid, print_procs);
		274	print_procs = 0;
		275	}
268	if (arg_cgroup) {	276	if (arg_cgroup) {
269	cgroup((pid_t) pid, print_procs);	277	cgroup((pid_t) pid, print_procs);
270	print_procs = 0;	278	print_procs = 0;


diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index a03aa85e5..2e0466638 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h
@@ -83,4 +83,7 @@ void netstats(void);
83	// x11.c	83	// x11.c
84	void x11(pid_t pid, int print_procs);	84	void x11(pid_t pid, int print_procs);
85		85
		86	//apparmor.c
		87	void apparmor(pid_t pid, int print_procs);
		88
86	#endif	89	#endif


diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 9d3babf55..617f4dacd 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c
@@ -27,6 +27,7 @@ void usage(void) {
27	printf("are also being monitored. On Grsecurity systems only root user\n");	27	printf("are also being monitored. On Grsecurity systems only root user\n");
28	printf("can run this program.\n\n");	28	printf("can run this program.\n\n");
29	printf("Options:\n");	29	printf("Options:\n");
		30	printf("\t--apparmor - print AppArmor confinement status for each sandbox.\n\n");
30	printf("\t--arp - print ARP table for each sandbox.\n\n");	31	printf("\t--arp - print ARP table for each sandbox.\n\n");
31	printf("\t--caps - print capabilities configuration for each sandbox.\n\n");	32	printf("\t--caps - print capabilities configuration for each sandbox.\n\n");
32	printf("\t--cgroup - print control group information for each sandbox.\n\n");	33	printf("\t--cgroup - print control group information for each sandbox.\n\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1a769176c..8704e53b3 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -111,6 +111,21 @@ $ firejail --appimage krita-3.0-x86_64.appimage
111	$ firejail --appimage --private krita-3.0-x86_64.appimage	111	$ firejail --appimage --private krita-3.0-x86_64.appimage
112	.br	112	.br
113	$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage	113	$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
		114
		115	.TP
		116	\fB\-\-apparmor.print=name\|pid
		117	Print the AppArmor confinement status for the sandbox identified by name or by PID.
		118	.br
		119
		120	.br
		121	Example:
		122	.br
		123	$ firejail \-\-apparmor.print=browser
		124	.br
		125	5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr
		126	.br
		127	AppArmor: firejail-default enforce
		128
114	.TP	129	.TP
115	\fB\-\-audit	130	\fB\-\-audit
116	Audit the sandbox, see \fBAUDIT\fR section for more details.	131	Audit the sandbox, see \fBAUDIT\fR section for more details.


diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 957a224c6..4827bbbeb 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt
@@ -10,6 +10,9 @@ these processes are also being monitored. On Grsecurity systems only root user
10	can run this program.	10	can run this program.
11	.SH OPTIONS	11	.SH OPTIONS
12	.TP	12	.TP
		13	\fB\-\-apparmor
		14	Print AppArmor confinement status for each sandbox.
		15	.TP
13	\fB\-\-arp	16	\fB\-\-arp
14	Print ARP table for each sandbox.	17	Print ARP table for each sandbox.
15	.TP	18	.TP