Hello, Am Freitag, 30. Dezember 2016, 10:20:02 CET schrieb Steve Beattie: > On Fri, Dec 30, 2016 at 02:54:31PM +0100, Christian Boltz wrote: > > Am Donnerstag, 29. Dezember 2016 schrieb Steve Beattie:
> > > [2] In fact, the version of ss/iproute2 in Ubuntu 14.04 LTS does > > > not restrict the listings to network sockets when 'ss -nlp > > > --family inet' is invoked. > > > > Nice[tm]. > > Yeah. Oh, there's one other caveat with ss(8), on Ubuntu 12.04 LTS, > the format is different once again and in a way that my patch is not > able to parse. But 12.04 is only supported for another 4 months or > so, and the option to use netstat is still there... Right, and besides that - 2.11 wasn't released yet, so 12.04 users are not at risk (yet) even if they download the latest version. (I'd also guess that 12.04 won't get SRU'd to AppArmor 2.11 ;-) Nevertheless, I hope we get 2.11 released before 12.04 goes out of support. (I had hoped for "this year", but you would hate me a bit more if I'd ask for that today or tomorrow ;-) > > Some testing shows that aa-unconfined gives different results with > > ss and netstat (ss lists more processes). Some digging shows that > > this seems to be caused by differences in what netstat and ss > > reports, so it's not an error in aa-unconfined. > > > > The differences on my system are (only listed by ss): > > - 2749 /usr/sbin/wpa_supplicant not confined > > - several apache child processes like > > > > 4049 /usr/sbin/httpd-prefork confined by > > '/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT > > (complain)'> > > I wonder if netstat or ss are "more right" ;-) > > My assumption is that ss is more correct. The apache entry actually is > what demonstrated that the parsing of ss output was a little more > complicated; in netstat output, it looks like: > > tcp6 0 0 :::80 :::* > LISTEN 4296/apache2 > > whereas in ss, it looks like so: > > tcp LISTEN 0 128 :::80 :::* > users:(("apache2",pid=22236,fd=4),("apache2",pid=8747,fd=4),("apache2 > ",pid=8746,fd=4),("apache2",pid=8745,fd=4),("apache2",pid=8744,fd=4),( > "apache2",pid=8743,fd=4),("apache2",pid=4296,fd=4)) Indeed, that looks more interesting[tm] ;-) > > Another interesting[tm] detail (off-topic here) is: > > 4464 /usr/bin/python2.7 (/usr/bin/python) not confined > > > > Hmm, this python2.7 process is salt-master. Interestingly, > > salt-master.service has ExecStart=/usr/bin/salt-master > > Any idea why the processes show up as "python2.7" in the > > processlist? > > Is this with all the patches in the series applied or just this one? > It's possible that's a change due to reading the /proc/PID/cmdline > directly rather than using cat. What does the contents of > /proc/PID/cmdline look like for the salt process? (Note that it's a > series of strings that are null terminated, so you might want to do > something like "sed -e 's/\x0/\n/g'" on it). # cat /proc/2332/cmdline | sed -e 's/\x0/\n/g' /usr/bin/python /usr/bin/salt-master So it's really listed this way in /proc/*/cmdline for some reason. ps aux also agrees, which means it's not specific to aa-unconfined. Some more testing shows that for example aa-logprof is also displayed as "/usr/bin/python3 /usr/sbin/aa-logprof" in ps aux, so it seems to be normal and I overlooked this detail in the "ps aux" output for years ;-) Regards, Christian Boltz -- > Und jetzt nochmal ohne HTML-Zeuchs... sorry... Magst Du es vielleicht nochmal versuchen, dann ohne TOFU? [> Alexander Homberger und Werner Flamme in postfixbuch-users]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor