[apparmor] [patch 1/4] utils/aa-unconfined: fix netstat usage, use ss(8) by default

John Johansen john.johansen at canonical.com
Fri Dec 30 09:23:03 UTC 2016

On 12/29/2016 11:24 PM, Steve Beattie wrote:
> It was reported[1] that converting the netstat command to examine
> processes bound to ipv6 addresses broke on OpenSUSE due to the version
> of nettools not supporting the short -4 -6 arguments.
I can confirm

> This patch switches to use the ss(8) utility from iproute2 by default
> (if ss is found) as netstat/net-tools is deprecated. Unfortunately,
> ss's '--family' argument does not accept multiple families, nor
> does passing '--family' multiple times with different arguments work
> either[2], so aa-unconfined invokes ss multiple times to gather the
> different socket families.
> It also fixes the invocation of netstat to use the "--protocol
> inet,inet6" arguments instead, which should return the same results
> as the short options.
nice, I would have preferred this as a separate patch but there is no
point splitting this off now.

> This patch provides command line arguments to manually switch using
> one tool or the other, as well as converting the invocations of ss
> and netstat to not use a shell, and documents these options in the
> aa-unconfined man page.
> [1] Was a bug filed for this?
not that I know of

> [2] In fact, the version of ss/iproute2 in Ubuntu 14.04 LTS does not
>     restrict the listings to network sockets when 'ss -nlp --family inet'
>     is invoked.
> Signed-off-by: Steve Beattie <steve at nxnw.org>

with the caveat that my python is meh, I've given this a couple passes
and it looks good

thanks for taking care of this

Acked-by: John Johansen <john.johansen at canonical.com>

More information about the AppArmor mailing list