On Fri, Dec 30, 2016 at 03:16:04PM +0100, Christian Boltz wrote: > Am Donnerstag, 29. Dezember 2016, 23:24:57 CET schrieb Steve Beattie: > > This patch allows a user to specify a specific location for ss or > > netstat for use in aa-unconfined, allowing a user to work around a > > tool that's buggy, uninstalled, or installed in an unexpected > > location. Note this option in the manpage. > > How likely is it that someone really needs this? > > I mean, if I have a broken ss or netstat installed, I'd want to fix it > for everything - but I wouldn't think about overriding it just for one > application, and leave everything else broken ;-)
Well, I was more thinking in terms of "broken in that aa-unconfined couldn't parse it, and netstat isn't available". > So even without the security concerns, I tend to dislike this patch > simply because I think these options are superfluous IMHO. But yeah, I kind of agree with that. > However, parts of the patch make sense. I'm talking about handing over > the command name as parameter to the function - this will allow to write > tests using a fake_ss and fake_netstat command. > (We might need to move out those functions to a python module when we > write those tests to avoid running the global code in aa-unconfined, but > that can be easily done once someone writes such a test.) I did wonder if get_pids_ss() and get_pids_netstat() ought to move to apparmor/common.py, but didn't see a need to do so for the time being. > To sum it up: > Acked-by: Christian Boltz <[email protected]> > for adding the function parameters that make testing possible with a > fake_ss or fake_netstat script > > The Ack does _not_ cover allowing users to specify the ss or netstat to > use via commandline parameters - if you really want that, use John's ack > for this part of the patch ;-) Okay to apply? Subject: utils/aa-unconfined: allow specifying ss/netstat binary locations This patch allows a user to specify a specific location for ss or netstat in the invocations of get_pids_ss() or get_pids_netstat(). Signed-off-by: Steve Beattie <[email protected]> --- utils/aa-unconfined | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) Index: b/utils/aa-unconfined =================================================================== --- a/utils/aa-unconfined +++ b/utils/aa-unconfined @@ -50,7 +50,7 @@ def get_all_pids(): return set(filter(lambda x: re.search(r"^\d+$", x), aa.get_subdirectories("/proc"))) -def get_pids_ss(): +def get_pids_ss(ss='ss'): '''Get a set of pids listening on network sockets via ss(8)''' regex_lines = re.compile(r"^(tcp|udp|raw|p_dgr)\s.+\s+users:(?P<users>\(\(.*\)\))$") regex_users_pids = re.compile(r'(\("[^"]+",(pid=)?(\d+),[^)]+\))') @@ -60,7 +60,7 @@ def get_pids_ss(): my_env['LANG'] = 'C' my_env['PATH'] = '/bin:/usr/bin:/sbin:/usr/sbin' for family in ['inet', 'inet6', 'link']: - cmd = ['ss', '-nlp', '--family', family] + cmd = [ss, '-nlp', '--family', family] if sys.version_info < (3, 0): output = subprocess.check_output(cmd, shell=False, env=my_env).split("\n") else: @@ -76,11 +76,11 @@ def get_pids_ss(): return pids -def get_pids_netstat(): +def get_pids_netstat(netstat='netstat'): '''Get a set of pids listening on network sockets via netstat(8)''' regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(?P<pid>\d+)\/(\S+)") - cmd = ['netstat', '-nlp', '--protocol', 'inet,inet6'] + cmd = [netstat, '-nlp', '--protocol', 'inet,inet6'] my_env = os.environ.copy() my_env['LANG'] = 'C' my_env['PATH'] = '/bin:/usr/bin:/sbin:/usr/sbin' -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
