daniel curtis
2017-12-06 19:14:05 UTC
Hello
Today, during some work with, among others, AppArmor profiles, I noticed,
that a "default" netstat(8) profile probably needs one rule. By writing
"default", I mean this one, which can be found in e.g.
'apparmor-profiles/extras/' folder (under '/usr/share/doc/' directory) with
some additions and updates (please see; 1., 2.) or this one:
https://github.com/Harvie/AppArmor-Profiles/blob/master/bin.netstat
The point is that running netstat(8) via sudo(8), in this case, to
check/dispaly "a table of all network interfaces" (--interfaces, -i
options) along with "showing numerical addresses instead of trying to
determine symbolic host, port or user names" (--numeric , -n options), causes
the following error:
$ sudo netstat -ni
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR
TX-DRP TX-OVR Flg
Warning: cannot open /proc/net/dev (Brak dostÄpu). Limited output.
missing interface information: Permission denied.
Seeing something like above error, I decided to check system log files and
'/var/log/syslog' file contained such entry:
â apparmor="DENIED" operation="open" profile="/bin/netstat"
name="/proc/2513/net/dev" pid=4084 comm="netstat" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
As we can see, there is a simple "DENIED" action referring to the {PROC}
folder. What all of you thinks about adding something like this to the
netstat profile? (Which one is a better choice? I would like to use the
first rule, because it uses a new '@{pid}' type.)
@{PROC}/@{pid}/net/dev r,
@{PROC}/[0-9]*/net/dev r,
And what about an "owner" prefix? Is it needed here? Because of a "missing
interface information" line found in error, I decided to add an interface
(an example: '$ sudo netstat -ni enp0s11') but an error message was exactly
the same as above. Log file entry was also the same, of course except PIDs
numbers.
So, it seems that netstat(8) profile needs one, new rule. But maybe it
concerns only me and maybe only I have this problem? What do you think:
should an above rule be added to the profile?
Release: 16.04.3 LTS
Linux: 4.4.0-102-generic
Thanks, best regards.
____________________
[1] https://lists.ubuntu.com/archives/apparmor/2017-August/010957.html
[2] https://lists.ubuntu.com/archives/apparmor/2017-August/010959.html
Today, during some work with, among others, AppArmor profiles, I noticed,
that a "default" netstat(8) profile probably needs one rule. By writing
"default", I mean this one, which can be found in e.g.
'apparmor-profiles/extras/' folder (under '/usr/share/doc/' directory) with
some additions and updates (please see; 1., 2.) or this one:
https://github.com/Harvie/AppArmor-Profiles/blob/master/bin.netstat
The point is that running netstat(8) via sudo(8), in this case, to
check/dispaly "a table of all network interfaces" (--interfaces, -i
options) along with "showing numerical addresses instead of trying to
determine symbolic host, port or user names" (--numeric , -n options), causes
the following error:
$ sudo netstat -ni
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR
TX-DRP TX-OVR Flg
Warning: cannot open /proc/net/dev (Brak dostÄpu). Limited output.
missing interface information: Permission denied.
Seeing something like above error, I decided to check system log files and
'/var/log/syslog' file contained such entry:
â apparmor="DENIED" operation="open" profile="/bin/netstat"
name="/proc/2513/net/dev" pid=4084 comm="netstat" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
As we can see, there is a simple "DENIED" action referring to the {PROC}
folder. What all of you thinks about adding something like this to the
netstat profile? (Which one is a better choice? I would like to use the
first rule, because it uses a new '@{pid}' type.)
@{PROC}/@{pid}/net/dev r,
@{PROC}/[0-9]*/net/dev r,
And what about an "owner" prefix? Is it needed here? Because of a "missing
interface information" line found in error, I decided to add an interface
(an example: '$ sudo netstat -ni enp0s11') but an error message was exactly
the same as above. Log file entry was also the same, of course except PIDs
numbers.
So, it seems that netstat(8) profile needs one, new rule. But maybe it
concerns only me and maybe only I have this problem? What do you think:
should an above rule be added to the profile?
Release: 16.04.3 LTS
Linux: 4.4.0-102-generic
Thanks, best regards.
____________________
[1] https://lists.ubuntu.com/archives/apparmor/2017-August/010957.html
[2] https://lists.ubuntu.com/archives/apparmor/2017-August/010959.html