Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor

Mon, 03 Jul 2017 10:00:07 -0700 

1. Done.

2. I have just reproduced it on:
Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04).
Ubuntu 17.04 LiveCD on my physical machine.

I, too, *cannot* reproduce it on Debian Sid for some unknown reason.

strace shows failed calls on Ubuntu:

setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation 
not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation 
not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation 
not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation 
not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation 
not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation 
not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation 
not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation 
not permitted) 

Changing SO_RCVBUFFORCE and SO_SNDBUFFORCE needs net_admin cap.

If I set:

sudo sysctl net.core.wmem_max=8388608                                           
                               
sudo sysctl net.core.wmem_default=8388608

It no longer asks for net_admin.

What is strange though, that Debian and Ubuntu has the same defaults (212992), 
though it seems that only on Ubuntu traceroute tries to increase that option...

Maybe I should ask about it Ubuntu traceroute maintainer..?
-- 
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Your team AppArmor Developers is requested to review the proposed merge of 
lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor.

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to