Hello, Am Sonntag, 11. Juni 2017, 15:18:16 CEST schrieb Vincas Dargis: > Running `sudo traceroute -T 8.8.8.8` (with TCP SYN mode, root perms. > are needed) on Ubuntu 17.04 will produce DENIED messages:
> This patch provides fixes for them:
>
> [ 01-traceroute-tcp-mode.diff ]
>
> === modified file 'profiles/apparmor.d/usr.sbin.traceroute'
> --- profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:07:26 +0000
> +++ profiles/apparmor.d/usr.sbin.traceroute 2017-06-11 13:06:02 +0000
> @@ -15,6 +15,7 @@
> #include <abstractions/consoles>
> #include <abstractions/nameservice>
>
> + capability net_admin,
> capability net_raw,
>
> network inet raw,
> @@ -23,6 +24,10 @@
> /usr/sbin/traceroute mrix,
> /usr/bin/traceroute.db mrix,
> @{PROC}/net/route r,
> + @{PROC}/sys/net/ipv4/tcp_ecn r,
> + @{PROC}/sys/net/ipv4/tcp_sack r,
> + @{PROC}/sys/net/ipv4/tcp_timestamps r,
> + @{PROC}/sys/net/ipv4/tcp_window_scaling r,
Just tested on openSUSE Tumbleweed: I can reproduce the
/proc/sys/net/ipv4/tcp_* reads, so the @{PROC} rules get my
Acked-by: Christian Boltz <[email protected]>
However, I can't reproduce the denial for capability net_admin.
net_admin allows quite a lot (interface configuration, set promiscous
mode etc. - see man 7 capabilities), so I'd like to avoid it.
Is capability net_admin really needed (as in "traceroute breaks without
it") or does it work without it? If so, a deny capability net_admin,
rule might be an option.
Regards,
Christian Boltz
--
> |``All mail clients suck. This one just sucks less.'' -me, circa 1995
> Diese Aussage ist heute gueltiger denn je! ("me" ist Michael Elkins!).
Pah. Mutt kann ja nichtmal die einfachsten Scriptwürmer interpretieren.
Geh mir da wech mit. [> David Haller und Ratti in fontlinge-devel]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
