<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Hello <br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Today, during some work with, <span id="result_box" class="short_text" lang="en"><span class="">among others, AppArmor profiles, I noticed, that a "default" netstat(8) profile probably needs one rule. By writing "default", I mean this one, which can be found in e.g. <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class="">'</span></span><span id="result_box" class="short_text" lang="en"><span class=""><span id="result_box" class="short_text" lang="en"><span class="">apparmor-profiles/extras/' folder (under '/usr/share/doc/' directory) </span></span></span></span><span id="result_box" class="short_text" lang="en"><span class="">with some additions and updates (please see; 1., 2.</span></span>) or this one: <a href="https://github.com/Harvie/AppArmor-Profiles/blob/master/bin.netstat">https://github.com/Harvie/AppArmor-Profiles/blob/master/bin.netstat</a> <br></div><div style="font-family:verdana,sans-serif" class="gmail_default"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">The point is that running netstat(8) via sudo(8), in this case, to check/dispaly "a table of all network interfaces" (--interfaces, -i options) along with "showing numerical addresses instead of trying to determine symbolic host, port or user names" (--numeric , -n options), <span id="result_box" class="short_text" lang="en"><span class="">causes the following error: <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class=""><br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class="">$ sudo netstat -ni <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class=""></span></span><span id="result_box" class="short_text" lang="en"><span class="">Kernel Interface table <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class=""></span></span><span id="result_box" class="short_text" lang="en"><span class="">Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class=""></span></span><span id="result_box" class="short_text" lang="en"><span class="">TX-DRP TX-OVR Flg <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class="">Warning: cannot open /proc/net/dev (Brak dostępu). Limited output. <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class=""></span></span><span id="result_box" class="short_text" lang="en"><span class="">missing interface information: Permission denied. <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class=""><br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class="">Seeing something like above error, I decided to check system log files and '/var/log/syslog' file contained such entry: <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class=""><br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class="">✗ apparmor="DENIED" operation="open" profile="/bin/netstat" name="/proc/2513/net/dev" pid=4084 comm="netstat" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class=""><br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class="">As we can see, there is a simple "DENIED" action referring to the {PROC} folder. What all of you thinks about adding something like this to the netstat profile? (Which one is a better choice? I would like to use the first rule, because it uses a new '</span></span><span id="result_box" class="short_text" lang="en"><span class=""><span id="result_box" class="short_text" lang="en"><span class="">@{pid}' type.) </span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class=""><br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class="">@{PROC}/@{pid}/net/dev r, <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class="">@{PROC}/[0-9]*/net/dev r, <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span class=""><br></span></span> </div><div class="gmail_default" style="font-family:verdana,sans-serif">And what about an "owner" prefix? Is it needed here? Because of a "<span id="result_box" class="short_text" lang="en"><span class="">missing interface information" line found in error, I decided to add an interface (an example: '</span></span><span id="result_box" class="short_text" lang="en"><span class="">$ sudo netstat -ni enp0s11') but an error message was exactly the same as above. Log file entry was also the same, of course except PIDs numbers. <br></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">So, it seems that netstat(8) profile needs one, new rule. But maybe it concerns only me and maybe only I have this problem? What do you think: should an above rule be added to the profile? <br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Release: 16.04.3 LTS <br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Linux: 4.4.0-102-generic <br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Thanks, best regards. <br></div><div class="gmail_default" style="font-family:verdana,sans-serif">____________________</div><div class="gmail_default" style="font-family:verdana,sans-serif">[1] <a href="https://lists.ubuntu.com/archives/apparmor/2017-August/010957.html">https://lists.ubuntu.com/archives/apparmor/2017-August/010957.html</a> <br></div><div class="gmail_default" style="font-family:verdana,sans-serif">[2] <a href="https://lists.ubuntu.com/archives/apparmor/2017-August/010959.html">https://lists.ubuntu.com/archives/apparmor/2017-August/010959.html</a><br></div></div>