[apparmor] [patch] update netstat profile

Steve Beattie steve at nxnw.org
Mon Aug 7 15:07:33 UTC 2017 

On Sun, Aug 06, 2017 at 08:31:56PM +0200, Christian Boltz wrote:
> Hello,
> 
> $subject.
> - allow reading @{PROC}/@{pid}/net/netstat and @{PROC}/@{pid}/net/snmp
> - drop owner conditional - /proc/*/net/* is always owned by root, and
>   the owner conditional means breaking netstat for non-root users
> - drop "@{PROC}/@{pids}/fd r," - /proc/*/fd is a directory, so this rule
>   would never apply
> 
> This is an "extra" profile, which means updating it in trunk is enough ;-)

Acked-by: Steve Beattie <steve at nxnw.org>

I noticed while testing this that I also saw a couple of rejections for
@{PROC}/@{pid}/net/udplite and  @{PROC}/@{pid}/net/udplit6, it'd be nice
to get those added as well.

Thanks.

> === modified file 'profiles/apparmor/profiles/extras/bin.netstat'
> --- profiles/apparmor/profiles/extras/bin.netstat       2016-12-03 09:59:01 +0000
> +++ profiles/apparmor/profiles/extras/bin.netstat       2017-08-06 18:27:06 +0000
> @@ -2,6 +2,7 @@
>  # ------------------------------------------------------------------
>  #
>  #    Copyright (C) 2002-2005 Novell/SUSE
> +#    Copyright (C) 2017 Christian Boltz
>  #
>  #    This program is free software; you can redistribute it and/or
>  #    modify it under the terms of version 2 of the GNU General Public
> @@ -27,15 +28,16 @@
>    /etc/networks r,
>    @{PROC} r,
>    @{PROC}/@{pids}/cmdline r,
> -  @{PROC}/@{pids}/fd r,
>    @{PROC}/net r,
>    @{PROC}/net/* r,
>    @{PROC}/@{pids}/fd/ r,
> -  owner @{PROC}/@{pid}/net/raw r,
> -  owner @{PROC}/@{pid}/net/raw6 r,
> -  owner @{PROC}/@{pid}/net/tcp r,
> -  owner @{PROC}/@{pid}/net/tcp6 r,
> -  owner @{PROC}/@{pid}/net/udp r,
> -  owner @{PROC}/@{pid}/net/udp6 r,
> -  owner @{PROC}/@{pid}/net/unix r,
> +  @{PROC}/@{pid}/net/netstat r,
> +  @{PROC}/@{pid}/net/raw r,
> +  @{PROC}/@{pid}/net/snmp r,
> +  @{PROC}/@{pid}/net/raw6 r,
> +  @{PROC}/@{pid}/net/tcp r,
> +  @{PROC}/@{pid}/net/tcp6 r,
> +  @{PROC}/@{pid}/net/udp r,
> +  @{PROC}/@{pid}/net/udp6 r,
> +  @{PROC}/@{pid}/net/unix r,
>  }

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170807/32beb5fa/attachment.pgp>

More information about the AppArmor mailing list