[apparmor] [patch 3/4] utils/aa-unconfined: allow specifying ss/netstat binary locations
Steve Beattie
steve at nxnw.org
Fri Dec 30 17:47:53 UTC 2016
On Fri, Dec 30, 2016 at 03:16:04PM +0100, Christian Boltz wrote:
> Am Donnerstag, 29. Dezember 2016, 23:24:57 CET schrieb Steve Beattie:
> > This patch allows a user to specify a specific location for ss or
> > netstat for use in aa-unconfined, allowing a user to work around a
> > tool that's buggy, uninstalled, or installed in an unexpected
> > location. Note this option in the manpage.
>
> How likely is it that someone really needs this?
>
> I mean, if I have a broken ss or netstat installed, I'd want to fix it
> for everything - but I wouldn't think about overriding it just for one
> application, and leave everything else broken ;-)
Well, I was more thinking in terms of "broken in that aa-unconfined
couldn't parse it, and netstat isn't available".
> So even without the security concerns, I tend to dislike this patch
> simply because I think these options are superfluous IMHO.
But yeah, I kind of agree with that.
> However, parts of the patch make sense. I'm talking about handing over
> the command name as parameter to the function - this will allow to write
> tests using a fake_ss and fake_netstat command.
> (We might need to move out those functions to a python module when we
> write those tests to avoid running the global code in aa-unconfined, but
> that can be easily done once someone writes such a test.)
I did wonder if get_pids_ss() and get_pids_netstat() ought to move to
apparmor/common.py, but didn't see a need to do so for the time being.
> To sum it up:
> Acked-by: Christian Boltz <apparmor at cboltz.de>
> for adding the function parameters that make testing possible with a
> fake_ss or fake_netstat script
>
> The Ack does _not_ cover allowing users to specify the ss or netstat to
> use via commandline parameters - if you really want that, use John's ack
> for this part of the patch ;-)
Okay to apply?
Subject: utils/aa-unconfined: allow specifying ss/netstat binary locations
This patch allows a user to specify a specific location for ss or
netstat in the invocations of get_pids_ss() or get_pids_netstat().
Signed-off-by: Steve Beattie <steve at nxnw.org>
---
utils/aa-unconfined | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
Index: b/utils/aa-unconfined
===================================================================
--- a/utils/aa-unconfined
+++ b/utils/aa-unconfined
@@ -50,7 +50,7 @@ def get_all_pids():
return set(filter(lambda x: re.search(r"^\d+$", x), aa.get_subdirectories("/proc")))
-def get_pids_ss():
+def get_pids_ss(ss='ss'):
'''Get a set of pids listening on network sockets via ss(8)'''
regex_lines = re.compile(r"^(tcp|udp|raw|p_dgr)\s.+\s+users:(?P<users>\(\(.*\)\))$")
regex_users_pids = re.compile(r'(\("[^"]+",(pid=)?(\d+),[^)]+\))')
@@ -60,7 +60,7 @@ def get_pids_ss():
my_env['LANG'] = 'C'
my_env['PATH'] = '/bin:/usr/bin:/sbin:/usr/sbin'
for family in ['inet', 'inet6', 'link']:
- cmd = ['ss', '-nlp', '--family', family]
+ cmd = [ss, '-nlp', '--family', family]
if sys.version_info < (3, 0):
output = subprocess.check_output(cmd, shell=False, env=my_env).split("\n")
else:
@@ -76,11 +76,11 @@ def get_pids_ss():
return pids
-def get_pids_netstat():
+def get_pids_netstat(netstat='netstat'):
'''Get a set of pids listening on network sockets via netstat(8)'''
regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(?P<pid>\d+)\/(\S+)")
- cmd = ['netstat', '-nlp', '--protocol', 'inet,inet6']
+ cmd = [netstat, '-nlp', '--protocol', 'inet,inet6']
my_env = os.environ.copy()
my_env['LANG'] = 'C'
my_env['PATH'] = '/bin:/usr/bin:/sbin:/usr/sbin'
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161230/e510b92d/attachment-0001.pgp>
More information about the AppArmor
mailing list