[apparmor] [PATCH] make aa-unconfined include ipv6

Steve Beattie steve at nxnw.org
Fri Dec 2 00:58:15 UTC 2016 

On Thu, Dec 01, 2016 at 04:47:23PM -0800, Seth Arnold wrote:
> On Thu, Dec 01, 2016 at 04:39:06PM -0800, John Johansen wrote:
> > meh, sufficient is good enough, we can add more as we encounter a need
> > 
> > updated patch below
> 
> You're right, I can't figure out how to get nc or socat to listen to a
> specific address. (Odd. I'd have expected this to just be obvious in
> either tool.)
> 
> So, in the meantime, this is great! :D
> 
> Acked-by: Seth Arnold <seth.arnold at canonical.com>
> 
> Acked for everything.

Also acked from me, thanks.

In testing, I did notice one thing not getting turned up, from
netstat -nlp46 output:

  raw6       0      0 :::58                   :::*                    7        1326/NetworkManager

which when asking netstat to display name resolution ends up being:

  raw6       0      0 [::]:ipv6-icmp          [::]:*                  7        1326/NetworkManager

Of course, aa-unconfined doesn't show this, the following patch adds
that, by adding the raw keyword as an alternative to tcp|udp and
accepting a number as an alternative to LISTEN.

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 utils/aa-unconfined |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: b/utils/aa-unconfined
===================================================================
--- a/utils/aa-unconfined
+++ b/utils/aa-unconfined
@@ -43,7 +43,7 @@ pids = []
 if paranoid:
     pids = list(filter(lambda x: re.search(r"^\d+$", x), aa.get_subdirectories("/proc")))
 else:
-    regex_tcp_udp = re.compile(r"^(tcp|udp)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)")
+    regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)")
     import subprocess
     if sys.version_info < (3, 0):
         output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n")

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161201/3146b09d/attachment.pgp>

More information about the AppArmor mailing list