[apparmor] [patch 3/4] utils/aa-unconfined: allow specifying ss/netstat binary locations
Christian Boltz
apparmor at cboltz.de
Fri Dec 30 18:27:22 UTC 2016
Hello,
Am Freitag, 30. Dezember 2016, 09:47:53 CET schrieb Steve Beattie:
> On Fri, Dec 30, 2016 at 03:16:04PM +0100, Christian Boltz wrote:
> > Am Donnerstag, 29. Dezember 2016 schrieb Steve Beattie:
> > > This patch allows a user to specify a specific location for ss or
> > > netstat for use in aa-unconfined, allowing a user to work around a
> > > tool that's buggy, uninstalled, or installed in an unexpected
> > > location. Note this option in the manpage.
> >
> > How likely is it that someone really needs this?
> >
> > I mean, if I have a broken ss or netstat installed, I'd want to fix
> > it for everything - but I wouldn't think about overriding it just
> > for one application, and leave everything else broken ;-)
>
> Well, I was more thinking in terms of "broken in that aa-unconfined
> couldn't parse it, and netstat isn't available".
In such cases, I want a bugreport instead of people working around the
issue ;-)
Thinking about this - would it make sense to print a warning if
aa-unconfined finds _no_ processes listening to the network? I know this
can in theory happen, but it's not too likely nowadays.
> > So even without the security concerns, I tend to dislike this patch
> > simply because I think these options are superfluous IMHO.
>
> But yeah, I kind of agree with that.
>
> > However, parts of the patch make sense. I'm talking about handing
> > over the command name as parameter to the function - this will
> > allow to write tests using a fake_ss and fake_netstat command.
> > (We might need to move out those functions to a python module when
> > we
> > write those tests to avoid running the global code in aa-unconfined,
> > but that can be easily done once someone writes such a test.)
>
> I did wonder if get_pids_ss() and get_pids_netstat() ought to move to
> apparmor/common.py, but didn't see a need to do so for the time being.
We'll probably need it once we write tests for those functions - or we
wrap the global code in aa-unconfined with
if __name__ == '__main__':
Anyway, as long as we don't have tests, keeping the functions in
aa-unconfined isn't a problem. (But: please don't abuse this as an
argument not to write tests ;-)
> > To sum it up:
> > Acked-by: Christian Boltz <apparmor at cboltz.de>
> >
> > for adding the function parameters that make testing possible with a
> > fake_ss or fake_netstat script
> >
> > The Ack does _not_ cover allowing users to specify the ss or netstat
> > to use via commandline parameters - if you really want that, use
> > John's ack for this part of the patch ;-)
>
> Okay to apply?
>
> Subject: utils/aa-unconfined: allow specifying ss/netstat binary
> locations
>
> This patch allows a user to specify a specific location for ss or
> netstat in the invocations of get_pids_ss() or get_pids_netstat().
>
> Signed-off-by: Steve Beattie <steve at nxnw.org>
> ---
> utils/aa-unconfined | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> Index: b/utils/aa-unconfined
> ===================================================================
> --- a/utils/aa-unconfined
> +++ b/utils/aa-unconfined
> @@ -50,7 +50,7 @@ def get_all_pids():
> return set(filter(lambda x: re.search(r"^\d+$", x),
> aa.get_subdirectories("/proc")))
>
>
> -def get_pids_ss():
> +def get_pids_ss(ss='ss'):
> '''Get a set of pids listening on network sockets via ss(8)'''
> regex_lines =
> re.compile(r"^(tcp|udp|raw|p_dgr)\s.+\s+users:(?P<users>\(\(.*\)\))$"
> ) regex_users_pids = re.compile(r'(\("[^"]+",(pid=)?(\d+),[^)]+\))')
> @@ -60,7 +60,7 @@ def get_pids_ss():
> my_env['LANG'] = 'C'
> my_env['PATH'] = '/bin:/usr/bin:/sbin:/usr/sbin'
> for family in ['inet', 'inet6', 'link']:
> - cmd = ['ss', '-nlp', '--family', family]
> + cmd = [ss, '-nlp', '--family', family]
> if sys.version_info < (3, 0):
> output = subprocess.check_output(cmd, shell=False,
> env=my_env).split("\n") else:
> @@ -76,11 +76,11 @@ def get_pids_ss():
> return pids
>
>
> -def get_pids_netstat():
> +def get_pids_netstat(netstat='netstat'):
> '''Get a set of pids listening on network sockets via
> netstat(8)''' regex_tcp_udp =
> re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+
> )\s+(LISTEN|\d+|\s+)\s+(?P<pid>\d+)\/(\S+)")
>
> - cmd = ['netstat', '-nlp', '--protocol', 'inet,inet6']
> + cmd = [netstat, '-nlp', '--protocol', 'inet,inet6']
> my_env = os.environ.copy()
> my_env['LANG'] = 'C'
> my_env['PATH'] = '/bin:/usr/bin:/sbin:/usr/sbin'
Thanks, looks good :-)
Acked-by: Christian Boltz <apparmor at cboltz.de>
And now, please commit this patch series before the copyright line from
1/4 gets outdated ;-)
Regards,
Christian Boltz
--
> All cats purr at 28hz.
I think your cats need tuning - according to a couple of quick measure-
ments on a recently calibrated reference cat, the dominant frequency of
a correctly adjusted cat should be 12Hz +/-20%. [Lionel Lauer]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161230/7dcf556b/attachment.pgp>
More information about the AppArmor
mailing list