[apparmor] [patch 1/4] utils/aa-unconfined: fix netstat usage, use ss(8) by default
Steve Beattie
steve at nxnw.org
Fri Dec 30 18:20:02 UTC 2016
On Fri, Dec 30, 2016 at 02:54:31PM +0100, Christian Boltz wrote:
> Am Donnerstag, 29. Dezember 2016, 23:24:55 CET schrieb Steve Beattie:
> > [1] Was a bug filed for this?
>
> No, just a mail to the ML.
That's what I thought, I just wanted to make sure I did reference a bug
when committing if one existed.
> > [2] In fact, the version of ss/iproute2 in Ubuntu 14.04 LTS does not
> > restrict the listings to network sockets when 'ss -nlp --family
> > inet' is invoked.
>
> Nice[tm].
Yeah. Oh, there's one other caveat with ss(8), on Ubuntu 12.04 LTS, the
format is different once again and in a way that my patch is not able to
parse. But 12.04 is only supported for another 4 months or so, and the
option to use netstat is still there...
> Some testing shows that aa-unconfined gives different results with ss and
> netstat (ss lists more processes). Some digging shows that this seems to
> be caused by differences in what netstat and ss reports, so it's not an
> error in aa-unconfined.
>
> The differences on my system are (only listed by ss):
> - 2749 /usr/sbin/wpa_supplicant not confined
> - several apache child processes like
> 4049 /usr/sbin/httpd-prefork confined by '/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT (complain)'
>
> I wonder if netstat or ss are "more right" ;-)
My assumption is that ss is more correct. The apache entry actually is
what demonstrated that the parsing of ss output was a little more
complicated; in netstat output, it looks like:
tcp6 0 0 :::80 :::* LISTEN 4296/apache2
whereas in ss, it looks like so:
tcp LISTEN 0 128 :::80 :::* users:(("apache2",pid=22236,fd=4),("apache2",pid=8747,fd=4),("apache2",pid=8746,fd=4),("apache2",pid=8745,fd=4),("apache2",pid=8744,fd=4),("apache2",pid=8743,fd=4),("apache2",pid=4296,fd=4))
> Another difference:
> The old aa-unconfined version gives nearly the same result as the
> --with-netstat option (good), however the old version doesn't list
> NetworkManager.
>
> The netstat output doesn't explain this difference:
>
> root at tux:/dev/shm> netstat -nlp |grep Network
> raw 0 0 :::58 :::* 7 2286/NetworkManager
> raw 0 0 :::58 :::* 7 2286/NetworkManager
> unix 2 [ ACC ] STREAM HÖRT 43660 2286/NetworkManager /run/NetworkManager/private-dhcp
> root at tux:/dev/shm> netstat -nlp --protocol inet,inet6 |grep Network
> raw 0 0 :::58 :::* 7 2286/NetworkManager
> raw 0 0 :::58 :::* 7 2286/NetworkManager
>
> So - did you accidently fix (or hide?) a parsing bug along the way?
> I doubt _less_ netstat output really meant to cause more aa-unconfined
> output ;-)
This was fixed in
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3593
per https://lists.ubuntu.com/archives/apparmor/2016-December/010307.html
> Another interesting[tm] detail (off-topic here) is:
> 4464 /usr/bin/python2.7 (/usr/bin/python) not confined
>
> Hmm, this python2.7 process is salt-master. Interestingly,
> salt-master.service has ExecStart=/usr/bin/salt-master
> Any idea why the processes show up as "python2.7" in the processlist?
Is this with all the patches in the series applied or just this one?
It's possible that's a change due to reading the /proc/PID/cmdline
directly rather than using cat. What does the contents of
/proc/PID/cmdline look like for the salt process? (Note that it's a
series of strings that are null terminated, so you might want to do
something like "sed -e 's/\x0/\n/g'" on it).
Thanks.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161230/774ccd96/attachment.pgp>
More information about the AppArmor
mailing list