[apparmor] [patch 1/4] utils/aa-unconfined: fix netstat usage, use ss(8) by default

Christian Boltz apparmor at cboltz.de
Fri Dec 30 13:54:31 UTC 2016 

Hello,

Am Donnerstag, 29. Dezember 2016, 23:24:55 CET schrieb Steve Beattie:
> It was reported[1] that converting the netstat command to examine
> processes bound to ipv6 addresses broke on OpenSUSE due to the version
> of nettools not supporting the short -4 -6 arguments.
> 
> This patch switches to use the ss(8) utility from iproute2 by default
> (if ss is found) as netstat/net-tools is deprecated. Unfortunately,
> ss's '--family' argument does not accept multiple families, nor
> does passing '--family' multiple times with different arguments work
> either[2], so aa-unconfined invokes ss multiple times to gather the
> different socket families.

Sounds like ss is really an improvement over the deprecated netstat ;-))

> It also fixes the invocation of netstat to use the "--protocol
> inet,inet6" arguments instead, which should return the same results
> as the short options.

I just tested the modified command
+    cmd = ['netstat', '-nlp', '--protocol', 'inet,inet6']
and it works on openSUSE (tested in Tumbleweed and several releases).
This means we could do a simple patch for 2.9 and 2.10 that replaces the 
-46 parameter with --protocol to avoid the risk of regressions. (Says 
someone who submitted big patches for 2.9 and 2.10 more than once ;-)

For trunk, I agree that it's a good idea to use ss instead of the 
deprecated netstat by default.

> This patch provides command line arguments to manually switch using
> one tool or the other, as well as converting the invocations of ss
> and netstat to not use a shell, and documents these options in the
> aa-unconfined man page.
> 
> [1] Was a bug filed for this?

No, just a mail to the ML.

> [2] In fact, the version of ss/iproute2 in Ubuntu 14.04 LTS does not
>     restrict the listings to network sockets when 'ss -nlp --family
> inet' is invoked.

Nice[tm].


Some testing shows that aa-unconfined gives different results with ss and 
netstat (ss lists more processes). Some digging shows that this seems to
be caused by differences in what netstat and ss reports, so it's not an
error in aa-unconfined.

The differences on my system are (only listed by ss):
- 2749 /usr/sbin/wpa_supplicant not confined
- several apache child processes like
  4049 /usr/sbin/httpd-prefork confined by '/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT (complain)'

I wonder if netstat or ss are "more right" ;-)


Another difference:
The old aa-unconfined version gives nearly the same result as the 
--with-netstat option (good), however the old version doesn't list 
NetworkManager.

The netstat output doesn't explain this difference:

root at tux:/dev/shm> netstat -nlp |grep Network
raw        0      0 :::58                   :::*                    7           2286/NetworkManager 
raw        0      0 :::58                   :::*                    7           2286/NetworkManager 
unix  2      [ ACC ]     STREAM     HÖRT         43660  2286/NetworkManager /run/NetworkManager/private-dhcp
root at tux:/dev/shm> netstat -nlp --protocol inet,inet6 |grep Network
raw        0      0 :::58                   :::*                    7           2286/NetworkManager 
raw        0      0 :::58                   :::*                    7           2286/NetworkManager 

So - did you accidently fix (or hide?) a parsing bug along the way? 
I doubt _less_ netstat output really meant to cause more aa-unconfined 
output ;-)


Another interesting[tm] detail (off-topic here) is:
 4464 /usr/bin/python2.7 (/usr/bin/python) not confined

Hmm, this python2.7 process is salt-master. Interestingly, 
salt-master.service has   ExecStart=/usr/bin/salt-master
Any idea why the processes show up as "python2.7" in the processlist?


That all said: the patch looks good, so
    Acked-by: Christian Boltz <apparmor at cboltz.de>
after answering the above questions ;-)

For 2.10 and 2.9, I'd prefer to have a small patch (using netstat's
--protocol option) instead of a full aa-unconfined rewrite.


Regards,

Christian Boltz
-- 
[19:31] <suseROCKs> #info anditosan just text that he took a sleeping
       pill last night and is trying to wake up to get to the meeting...
[19:31] <suseROCKs> :-D
[19:31] --> anditosan joined the channel (~ytoox at 67.214.243.90).
[19:32] <shayonj> hah , there he is
[19:32] <suseROCKs> anditosan is going to *LOVE* reading the minutes
        after this meeting!
[from #opensuse-project]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161230/942d1257/attachment.pgp>

More information about the AppArmor mailing list