[apparmor] [profile] netstat(8): plenty of DENIED messages; repeated "target=*" value.

daniel curtis sidetripping at gmail.com
Tue Dec 6 15:05:18 UTC 2016 

Hi

In the last days, I've noticed that running netstat(8) utility via sudo(8)
is responsible for many entries in various log files, such as
/var/log/kern.log or /var/log/syslog. I'm using this profile [1]. There are
many DENIED messages but not related with, for example, lack of some rule
etc.

It looks this way; run i.e. `sudo netstat -talpn` command and check log
files - there are such entries:

Nov 30 19:12:15 t4 kernel: [12380.946835] type=1400
audit(1480529535.149:812): apparmor="DENIED" operation="ptrace" parent=5014
profile="/bin/netstat" pid=5015 comm="netstat" target=B00280F4B00280F42701

Nov 30 19:12:15 t4 kernel: [12380.946850] type=1400
audit(1480529535.149:813): apparmor="DENIED" operation="ptrace" parent=5014
profile="/bin/netstat" pid=5015 comm="netstat" target=B00280F4B00280F42701

Nov 30 19:12:15 t4 kernel: [12380.946859] type=1400
audit(1480529535.149:814): apparmor="DENIED" operation="ptrace" parent=5014
profile="/bin/netstat" pid=5015 comm="netstat" target=B00280F4B00280F42701

Dec  6 15:27:11 t4 kernel: [  816.591037] type=1400
audit(1481034431.811:45): apparmor="DENIED" operation="ptrace" parent=17598
profile="/bin/netstat" pid=17599 comm="netstat" target=B00280F4B00280F44B01

Dec  6 15:27:11 t4 kernel: [  816.591069] type=1400
audit(1481034431.811:46): apparmor="DENIED" operation="ptrace" parent=17598
profile="/bin/netstat" pid=17599 comm="netstat" target=B00280F4B00280F44B01

Dec  6 15:27:11 t4 kernel: [  816.591086] type=1400
audit(1481034431.811:47): apparmor="DENIED" operation="ptrace" parent=17598
profile="/bin/netstat" pid=17599 comm="netstat" target=B00280F4B00280F44B01

There are, of course, many more such entries - about 80. maybe more. As we
can see the only one thing, which has changed, is "target=" entry. It's
normal, or 'bin.netstat' profile needs some changes, updates etc? What is
yours opinions?

One more thing: if I'm not using IPv6 can I remove such rules from a
profile?:

owner @{PROC}/*/net/raw6 r,
owner @{PROC}/*/net/tcp6 r,
owner @{PROC}/*/net/udp6 r,

AppArmor version: 2.7.102-0ubuntu3.10, Release: 12.04 LTS with latest Linux
kernel (update from Mon, Dec 5; ver. 3.2.0-118.161.)

Best regards.
_____________
[1] https://github.com/Harvie/AppArmor-Profiles/blob/master/bin.netstat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161206/7b20daa0/attachment.html>

More information about the AppArmor mailing list