LinuxCommandLibrary

cs-resolve

Resolve container service names to addresses

TLDR

Resolve lists of transitive dependencies of two dependencies

$ cs resolve [group_id1]:[artifact_id1]:[artifact_version1] [group_id2]:[artifact_id2]:[artifact_version2]
copy

Resolve lists of transitive dependencies of a package by the dependency tree
$ cs resolve --tree [group_id]:[artifact_id]:[artifact_version]
copy

Resolve dependency tree in a reverse order (from a dependency to its dependencies)
$ cs resolve --reverse-tree [group_id]:[artifact_id]:[artifact_version]
copy

Print all the libraries that depends on a specific library
$ cs resolve [group_id]:[artifact_id]:[artifact_version] --what-depends-on [searched_group_id]:[searched_artifact_id]
copy

Print all the libraries that depends on a specific library version
$ cs resolve [group_id]:[artifact_id]:[artifact_version] --what-depends-on [searched_group_id]:[searched_artifact_id][searched_artifact_version]
copy

Print eventual conflicts between a set of packages
$ cs resolve --conflicts [group_id1:artifact_id1:artifact_version1 group_id2:artifact_id2:artifact_version2 ...]
copy

SYNOPSIS

cs-resolve [-h | --help] [--version] PROFILE

PARAMETERS

-h, --help
    Print usage message and exit

--version
    Print version information and exit

PROFILE
    Profile name or absolute/relative path to profile file

DESCRIPTION

cs-resolve is a utility for AppArmor, the Linux kernel security module providing file-based mandatory access control. It computes and displays the unique confinement specification (CS) hash for a specified AppArmor profile, given either by name (e.g., usr.sbin.sshd) or file path (e.g., /etc/apparmor.d/usr.sbin.sshd).

AppArmor uses these compact CS hashes internally to identify loaded profiles, particularly in namespace-aware setups, stacked profiles, or when multiple profiles share names. Hashes appear in kernel audit logs as tuples like (cs:1,abcdef0123456789) during enforcement events (allows/denials).

This tool is essential for debugging: administrators can map log entries back to source profile files, aiding logprof tuning or incident analysis. It automatically searches standard directories including /etc/apparmor.d, /var/lib/apparmor/profiles, and others configured in AppArmor.

Typically invoked post-profile parse or load; outputs a string ready for grep/search in logs. Part of apparmor-utils package.

CAVEATS

AppArmor-specific; requires installed AppArmor userspace tools. May fail if profile unparsable or dirs inaccessible. Not for runtime-loaded profiles without path.

EXAMPLE USAGE

cs-resolve /etc/apparmor.d/usr.bin.bash
cs(1,1234567890abcdef)

cs-resolve ssh
cs(2,abcdef0123456789)

LOG CORRELATION

In audit.log: type=AVC apparmor=denied ... cs(1,1234567890abcdef)
Run cs-resolve to identify profile.

HISTORY

Introduced in AppArmor 2.13 (2018) with "magic" profile attachment for namespaces/stacking. Enhanced in 3.0+ for better hash handling; maintained in Ubuntu/Debian apparmor-utils.

SEE ALSO

aa-status(8), apparmor_parser(8), aa-logprof(8), auditctl(8)

Copied to clipboard