[apparmor] [patch 1/4] utils/aa-unconfined: fix netstat usage, use ss(8) by default

Steve Beattie steve at nxnw.org
Fri Dec 30 18:20:02 UTC 2016

On Fri, Dec 30, 2016 at 02:54:31PM +0100, Christian Boltz wrote:
> Am Donnerstag, 29. Dezember 2016, 23:24:55 CET schrieb Steve Beattie:
> > [1] Was a bug filed for this?
> No, just a mail to the ML.

That's what I thought, I just wanted to make sure I did reference a bug
when committing if one existed.

> > [2] In fact, the version of ss/iproute2 in Ubuntu 14.04 LTS does not
> >     restrict the listings to network sockets when 'ss -nlp --family
> > inet' is invoked.
> Nice[tm].

Yeah. Oh, there's one other caveat with ss(8), on Ubuntu 12.04 LTS, the
format is different once again and in a way that my patch is not able to
parse. But 12.04 is only supported for another 4 months or so, and the
option to use netstat is still there...

> Some testing shows that aa-unconfined gives different results with ss and 
> netstat (ss lists more processes). Some digging shows that this seems to
> be caused by differences in what netstat and ss reports, so it's not an
> error in aa-unconfined.
> The differences on my system are (only listed by ss):
> - 2749 /usr/sbin/wpa_supplicant not confined
> - several apache child processes like
>   4049 /usr/sbin/httpd-prefork confined by '/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT (complain)'
> I wonder if netstat or ss are "more right" ;-)

My assumption is that ss is more correct. The apache entry actually is
what demonstrated that the parsing of ss output was a little more
complicated; in netstat output, it looks like:

  tcp6       0      0 :::80                   :::*                 LISTEN      4296/apache2

whereas in ss, it looks like so:

  tcp   LISTEN   0   128   :::80   :::*   users:(("apache2",pid=22236,fd=4),("apache2",pid=8747,fd=4),("apache2",pid=8746,fd=4),("apache2",pid=8745,fd=4),("apache2",pid=8744,fd=4),("apache2",pid=8743,fd=4),("apache2",pid=4296,fd=4))

> Another difference:
> The old aa-unconfined version gives nearly the same result as the 
> --with-netstat option (good), however the old version doesn't list 
> NetworkManager.
> The netstat output doesn't explain this difference:
> root at tux:/dev/shm> netstat -nlp |grep Network
> raw        0      0 :::58                   :::*                    7           2286/NetworkManager 
> raw        0      0 :::58                   :::*                    7           2286/NetworkManager 
> unix  2      [ ACC ]     STREAM     HÖRT         43660  2286/NetworkManager /run/NetworkManager/private-dhcp
> root at tux:/dev/shm> netstat -nlp --protocol inet,inet6 |grep Network
> raw        0      0 :::58                   :::*                    7           2286/NetworkManager 
> raw        0      0 :::58                   :::*                    7           2286/NetworkManager 
> So - did you accidently fix (or hide?) a parsing bug along the way? 
> I doubt _less_ netstat output really meant to cause more aa-unconfined 
> output ;-)

This was fixed in


per https://lists.ubuntu.com/archives/apparmor/2016-December/010307.html

> Another interesting[tm] detail (off-topic here) is:
>  4464 /usr/bin/python2.7 (/usr/bin/python) not confined
> Hmm, this python2.7 process is salt-master. Interestingly, 
> salt-master.service has   ExecStart=/usr/bin/salt-master
> Any idea why the processes show up as "python2.7" in the processlist?

Is this with all the patches in the series applied or just this one?
It's possible that's a change due to reading the /proc/PID/cmdline
directly rather than using cat. What does the contents of
/proc/PID/cmdline look like for the salt process? (Note that it's a
series of strings that are null terminated, so you might want to do
something like "sed -e 's/\x0/\n/g'" on it).


Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161230/774ccd96/attachment.pgp>

More information about the AppArmor mailing list