[apparmor] [PATCH] make aa-unconfined include ipv6

John Johansen john.johansen at canonical.com
Fri Dec 2 01:28:00 UTC 2016 

On 12/01/2016 04:58 PM, Steve Beattie wrote:
> On Thu, Dec 01, 2016 at 04:47:23PM -0800, Seth Arnold wrote:
>> On Thu, Dec 01, 2016 at 04:39:06PM -0800, John Johansen wrote:
>>> meh, sufficient is good enough, we can add more as we encounter a need
>>>
>>> updated patch below
>>
>> You're right, I can't figure out how to get nc or socat to listen to a
>> specific address. (Odd. I'd have expected this to just be obvious in
>> either tool.)
>>
>> So, in the meantime, this is great! :D
>>
>> Acked-by: Seth Arnold <seth.arnold at canonical.com>
>>
>> Acked for everything.
> 
> Also acked from me, thanks.
> 
> In testing, I did notice one thing not getting turned up, from
> netstat -nlp46 output:
> 
>   raw6       0      0 :::58                   :::*                    7        1326/NetworkManager
> 
> which when asking netstat to display name resolution ends up being:
> 
>   raw6       0      0 [::]:ipv6-icmp          [::]:*                  7        1326/NetworkManager
> 
> Of course, aa-unconfined doesn't show this, the following patch adds
> that, by adding the raw keyword as an alternative to tcp|udp and
> accepting a number as an alternative to LISTEN.
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>

oh nice
Acked-by: John Johansen <john.johansen at canonical.com>

> ---
>  utils/aa-unconfined |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Index: b/utils/aa-unconfined
> ===================================================================
> --- a/utils/aa-unconfined
> +++ b/utils/aa-unconfined
> @@ -43,7 +43,7 @@ pids = []
>  if paranoid:
>      pids = list(filter(lambda x: re.search(r"^\d+$", x), aa.get_subdirectories("/proc")))
>  else:
> -    regex_tcp_udp = re.compile(r"^(tcp|udp)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\s+)\s+(\d+)\/(\S+)")
> +    regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)")
>      import subprocess
>      if sys.version_info < (3, 0):
>          output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n")
> 
> 
>

More information about the AppArmor mailing list