[apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
The proposal to merge lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor has been updated. Status: Needs review => Merged For more details, see: https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 -- Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
Review: Approve I'm fine with the current state of this MR, please merge :) -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
I've registered Ubuntu traceroute issue: https://bugs.launchpad.net/ubuntu/+source/traceroute/+bug/1703649 -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
On Mon, Jul 03, 2017 at 04:59:36PM -, Vincas Dargis wrote: > sudo sysctl net.core.wmem_max=8388608 > sudo sysctl net.core.wmem_default=8388608 > > It no longer asks for net_admin. Hrm, I wonder if these defaults make sense to apply to e.g. Ubuntu or Debian as a whole, just to avoid this silly net_admin that every process wants these days. net_admin grants a lot of power, but just growing these windows is surely a denial of service attack vector at the worst. Thanks -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
I've sent message to traceroute-devel: https://sourceforge.net/p/traceroute/mailman/message/35927395/ -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
About net_admin: Christian Boltz suggested that [0]: > I'd like to avoid it" Abuout Debian/Ubuntu: > I suspect that traceroute does just the same on Debian *but* some AppArmor > mediation only supported in the Ubuntu kernel blocks it there. Maybe.. though `strace` does not show these calls on Debian at all. It does not even try to apply these SO_RCVBUFFORCE/SO_SNDBUFFORCE options at all: # strace -e setsockopt traceroute -T google.com >/dev/null setsockopt(3, SOL_IP, IP_MTU_DISCOVER, [0], 4) = 0 setsockopt(3, SOL_SOCKET, SO_TIMESTAMP, [1], 4) = 0 setsockopt(3, SOL_IP, IP_RECVTTL, [1], 4) = 0 setsockopt(3, SOL_IP, IP_RECVERR, [1], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [1], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [2], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [3], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [4], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [5], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [6], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [7], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [8], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [9], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [10], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [11], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [12], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [13], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [14], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [15], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [16], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [17], 4) = 0 Maybe I should ask traceroute upstream developers about that..? [0] https://lists.ubuntu.com/archives/apparmor/2017-June/010785.html -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
Review: Needs Information > 1. Done. Reviewed, looks good. Thanks! If this was all this merge request was about, I would approve the merge as-is. > 2. I have just reproduced it on: > Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04). > Ubuntu 17.04 LiveCD on my physical machine. > > I, too, *cannot* reproduce it on Debian Sid for some unknown reason. > > strace shows failed calls on Ubuntu: > > setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation > not permitted) > […] > What is strange though, that Debian and Ubuntu has the same defaults (212992), > though it seems that only on Ubuntu traceroute tries to increase that > option... I suspect that traceroute does just the same on Debian *but* some AppArmor mediation only supported in the Ubuntu kernel blocks it there. So the question is: to quiet the logs shall we allow or forbid it? In other words, what's the drawback of forbidding traceroute from performing these operations? -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
1. Done. 2. I have just reproduced it on: Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04). Ubuntu 17.04 LiveCD on my physical machine. I, too, *cannot* reproduce it on Debian Sid for some unknown reason. strace shows failed calls on Ubuntu: setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) Changing SO_RCVBUFFORCE and SO_SNDBUFFORCE needs net_admin cap. If I set: sudo sysctl net.core.wmem_max=8388608 sudo sysctl net.core.wmem_default=8388608 It no longer asks for net_admin. What is strange though, that Debian and Ubuntu has the same defaults (212992), though it seems that only on Ubuntu traceroute tries to increase that option... Maybe I should ask about it Ubuntu traceroute maintainer..? -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
Review: Needs Fixing
Hi Vincas! Thanks for this merge request. I could reproduce the problem it's
meant to fix, and I agree it makes sense to fix it. Two request though:
1. could you please merge the 4 @{PROC} lines e.g.:
@{PROC}/sys/net/ipv4/tcp_{ecn,sack,timestamps,window_scaling} r,
2. wrt. "deny capability net_admin": on Debian sid (traceroute 1:2.1.0-2), I
can't reproduce the issue it's meant to fix; which version of traceroute and OS
are you using? Any specific local configuration that might come into play?
--
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Your team AppArmor Developers is requested to review the proposed merge of
lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
Vincas Dargis has proposed merging lp:~talkless/apparmor/fix_traceroute_tcp
into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Running `sudo traceroute -T 8.8.8.8` (with TCP SYN mode, root perms. are
needed) on Ubuntu 17.04 will produce DENIED messages:
type=AVC msg=audit(1497186803.543:335): apparmor="DENIED" operation="open"
profile="/usr/{sbin/traceroute,bin/traceroute.db}"
name="/proc/sys/net/ipv4/tcp_ecn" pid=6573 comm="traceroute" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:335): arch=c03e syscall=2 success=no
exit=-13 a0=7ffc1125cfb0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573
auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:335):
proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:336): apparmor="DENIED" operation="open"
profile="/usr/{sbin/traceroute,bin/traceroute.db}"
name="/proc/sys/net/ipv4/tcp_sack" pid=6573 comm="traceroute"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:336): arch=c03e syscall=2 success=no
exit=-13 a0=7ffc1125cfb0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573
auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:336):
proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:337): apparmor="DENIED" operation="open"
profile="/usr/{sbin/traceroute,bin/traceroute.db}"
name="/proc/sys/net/ipv4/tcp_timestamps" pid=6573 comm="traceroute"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:337): arch=c03e syscall=2 success=no
exit=-13 a0=7ffc1125cfa0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573
auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:337):
proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:338): apparmor="DENIED" operation="open"
profile="/usr/{sbin/traceroute,bin/traceroute.db}"
name="/proc/sys/net/ipv4/tcp_window_scaling" pid=6573 comm="traceroute"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:338): arch=c03e syscall=2 success=no
exit=-13 a0=7ffc1125cfa0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573
auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:338):
proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:339): apparmor="DENIED" operation="capable"
profile="/usr/{sbin/traceroute,bin/traceroute.db}" pid=6573 comm="traceroute"
capability=12 capname="net_admin"
type=SYSCALL msg=audit(1497186803.543:339): arch=c03e syscall=54 success=no
exit=-1 a0=4 a1=1 a2=21 a3=7ffc1125bef0 items=0 ppid=6572 pid=6573 auid=1000
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2
comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:339):
proctitle=7472616365726F757465002D5400382E382E382E38
This patch provides fixes for them.
--
Your team AppArmor Developers is requested to review the proposed merge of
lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor.
=== modified file 'profiles/apparmor.d/usr.sbin.traceroute'
--- profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:07:26 +
+++ profiles/apparmor.d/usr.sbin.traceroute 2017-06-24 15:28:54 +
@@ -15,6 +15,7 @@
#include
#include
+ deny capability net_admin, # noisy setsockopt() calls
capability net_raw,
network inet raw,
@@ -23,6 +24,10 @@
/usr/sbin/traceroute mrix,
/usr/bin/traceroute.db mrix,
@{PROC}/net/route r,
+ @{PROC}/sys/net/ipv4/tcp_ecn r,
+ @{PROC}/sys/net/ipv4/tcp_sack r,
+ @{PROC}/sys/net/ipv4/tcp_timestamps r,
+ @{PROC}/sys/net/ipv4/tcp_window_scaling r,
# Site-specific additions and overrides. See local/README for details.
#include
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
