[apparmor] [PATCH] make aa-unconfined include ipv6

John Johansen john.johansen at canonical.com
Fri Dec 2 00:39:06 UTC 2016 

On 12/01/2016 04:34 PM, Seth Arnold wrote:
> On Thu, Dec 01, 2016 at 04:13:26PM -0800, John Johansen wrote:
>> aa-unconfined currently does not check/display ipv6 fix this
> 
> Sorry to say this isn't sufficient to fix the issue. To test, run in one
> terminal:
> 
> nc -6 -l 1234
> 
> and check that aa-unconfined still doesn't show the process.
> 
> The regex_tcp_udp line needs to be updated to at least allow an optional
> '6':
> 
> -    regex_tcp_udp = re.compile(r"^(tcp|udp)\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)")
> +    regex_tcp_udp = re.compile(r"^(tcp|udp)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)")
> 
> -------------------------------------------^^
> 
> While these changes are sufficient for my simple test to work, I haven't
> yet tried binding to specific IPv6 addresses.
> 
oops, yep

meh, sufficient is good enough, we can add more as we encounter a need

updated patch below


=== modified file 'utils/aa-unconfined'
--- utils/aa-unconfined	2016-10-01 18:57:09 +0000
+++ utils/aa-unconfined	2016-12-02 00:38:27 +0000
@@ -43,13 +43,13 @@
 if paranoid:
     pids = list(filter(lambda x: re.search(r"^\d+$", x), aa.get_subdirectories("/proc")))
 else:
-    regex_tcp_udp = re.compile(r"^(tcp|udp)\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)")
+    regex_tcp_udp = re.compile(r"^(tcp|udp)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)")
     import subprocess
     if sys.version_info < (3, 0):
-        output = subprocess.check_output("LANG=C netstat -nlp", shell=True).split("\n")
+        output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n")
     else:
         #Python3 needs to translate a stream of bytes to string with specified encoding
-        output = str(subprocess.check_output("LANG=C netstat -nlp", shell=True), encoding='utf8').split("\n")
+        output = str(subprocess.check_output("LANG=C netstat -nlp46", shell=True), encoding='utf8').split("\n")
 
     for line in output:
         match = regex_tcp_udp.search(line)

More information about the AppArmor mailing list