[apparmor] [patch 1/4] utils/aa-unconfined: fix netstat usage, use ss(8) by default
john.johansen at canonical.com
Fri Dec 30 09:23:03 UTC 2016
On 12/29/2016 11:24 PM, Steve Beattie wrote:
> It was reported that converting the netstat command to examine
> processes bound to ipv6 addresses broke on OpenSUSE due to the version
> of nettools not supporting the short -4 -6 arguments.
I can confirm
> This patch switches to use the ss(8) utility from iproute2 by default
> (if ss is found) as netstat/net-tools is deprecated. Unfortunately,
> ss's '--family' argument does not accept multiple families, nor
> does passing '--family' multiple times with different arguments work
> either, so aa-unconfined invokes ss multiple times to gather the
> different socket families.
> It also fixes the invocation of netstat to use the "--protocol
> inet,inet6" arguments instead, which should return the same results
> as the short options.
nice, I would have preferred this as a separate patch but there is no
point splitting this off now.
> This patch provides command line arguments to manually switch using
> one tool or the other, as well as converting the invocations of ss
> and netstat to not use a shell, and documents these options in the
> aa-unconfined man page.
>  Was a bug filed for this?
not that I know of
>  In fact, the version of ss/iproute2 in Ubuntu 14.04 LTS does not
> restrict the listings to network sockets when 'ss -nlp --family inet'
> is invoked.
> Signed-off-by: Steve Beattie <steve at nxnw.org>
with the caveat that my python is meh, I've given this a couple passes
and it looks good
thanks for taking care of this
Acked-by: John Johansen <john.johansen at canonical.com>
More information about the AppArmor