[apparmor] [profile] netstat(8): plenty of DENIED messages; repeated "target=*" value.

John Johansen john.johansen at canonical.com
Sat Dec 31 21:56:21 UTC 2016

On 12/31/2016 01:41 PM, daniel curtis wrote:
> ​Hi John
> Thanks for an answer and explanation. I've created a bug report, because you have written, that: "A bug would be good, I'll try fixing it soon and will need a bug to reference when I push the fix". Please see [1].
yes, as I mentioned there is a bug with the reporting of the target= profile
name, I will use the bug for that

> Anyway, I should add a rule mentioned by me in a Launchpad bug report, right? I mean this one:
> @{PROC}/[0-9]*/net/tcp r,
> It's secure enough, even if that log entry showed up after running netstat(8) as a normal user - not via sudo(8)?
well that depends on what you are trying to achieve, but likely this is
good enough for your use case.

This will limit netstat to reading the proc net/tcp for any given process.
You could restrict it more by using an owner prefix to limit it to reading
only processes owned by the user but then you would be also limiting the
sudo use case, unless you did more work to give root users a different

> Best regards.
> _____________
> [1] https://lists.ubuntu.com/archives/apparmor/2016-December/010329.html> 

More information about the AppArmor mailing list