[apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
The proposal to merge lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor has been updated. Status: Needs review => Merged For more details, see: https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 -- Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
Review: Approve I'm fine with the current state of this MR, please merge :) -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
I've registered Ubuntu traceroute issue: https://bugs.launchpad.net/ubuntu/+source/traceroute/+bug/1703649 -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
On Mon, Jul 03, 2017 at 04:59:36PM -, Vincas Dargis wrote: > sudo sysctl net.core.wmem_max=8388608 > sudo sysctl net.core.wmem_default=8388608 > > It no longer asks for net_admin. Hrm, I wonder if these defaults make sense to apply to e.g. Ubuntu or Debian as a whole, just to avoid this silly net_admin that every process wants these days. net_admin grants a lot of power, but just growing these windows is surely a denial of service attack vector at the worst. Thanks -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
I've sent message to traceroute-devel: https://sourceforge.net/p/traceroute/mailman/message/35927395/ -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
About net_admin: Christian Boltz suggested that [0]: > I'd like to avoid it" Abuout Debian/Ubuntu: > I suspect that traceroute does just the same on Debian *but* some AppArmor > mediation only supported in the Ubuntu kernel blocks it there. Maybe.. though `strace` does not show these calls on Debian at all. It does not even try to apply these SO_RCVBUFFORCE/SO_SNDBUFFORCE options at all: # strace -e setsockopt traceroute -T google.com >/dev/null setsockopt(3, SOL_IP, IP_MTU_DISCOVER, [0], 4) = 0 setsockopt(3, SOL_SOCKET, SO_TIMESTAMP, [1], 4) = 0 setsockopt(3, SOL_IP, IP_RECVTTL, [1], 4) = 0 setsockopt(3, SOL_IP, IP_RECVERR, [1], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [1], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [2], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [3], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [4], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [5], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [6], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [7], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [8], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [9], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [10], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [11], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [12], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [13], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [14], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [15], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [16], 4) = 0 setsockopt(3, SOL_IP, IP_TTL, [17], 4) = 0 Maybe I should ask traceroute upstream developers about that..? [0] https://lists.ubuntu.com/archives/apparmor/2017-June/010785.html -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
Review: Needs Information > 1. Done. Reviewed, looks good. Thanks! If this was all this merge request was about, I would approve the merge as-is. > 2. I have just reproduced it on: > Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04). > Ubuntu 17.04 LiveCD on my physical machine. > > I, too, *cannot* reproduce it on Debian Sid for some unknown reason. > > strace shows failed calls on Ubuntu: > > setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation > not permitted) > […] > What is strange though, that Debian and Ubuntu has the same defaults (212992), > though it seems that only on Ubuntu traceroute tries to increase that > option... I suspect that traceroute does just the same on Debian *but* some AppArmor mediation only supported in the Ubuntu kernel blocks it there. So the question is: to quiet the logs shall we allow or forbid it? In other words, what's the drawback of forbidding traceroute from performing these operations? -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
1. Done. 2. I have just reproduced it on: Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04). Ubuntu 17.04 LiveCD on my physical machine. I, too, *cannot* reproduce it on Debian Sid for some unknown reason. strace shows failed calls on Ubuntu: setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) Changing SO_RCVBUFFORCE and SO_SNDBUFFORCE needs net_admin cap. If I set: sudo sysctl net.core.wmem_max=8388608 sudo sysctl net.core.wmem_default=8388608 It no longer asks for net_admin. What is strange though, that Debian and Ubuntu has the same defaults (212992), though it seems that only on Ubuntu traceroute tries to increase that option... Maybe I should ask about it Ubuntu traceroute maintainer..? -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
Review: Needs Fixing Hi Vincas! Thanks for this merge request. I could reproduce the problem it's meant to fix, and I agree it makes sense to fix it. Two request though: 1. could you please merge the 4 @{PROC} lines e.g.: @{PROC}/sys/net/ipv4/tcp_{ecn,sack,timestamps,window_scaling} r, 2. wrt. "deny capability net_admin": on Debian sid (traceroute 1:2.1.0-2), I can't reproduce the issue it's meant to fix; which version of traceroute and OS are you using? Any specific local configuration that might come into play? -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
Vincas Dargis has proposed merging lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Running `sudo traceroute -T 8.8.8.8` (with TCP SYN mode, root perms. are needed) on Ubuntu 17.04 will produce DENIED messages: type=AVC msg=audit(1497186803.543:335): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_ecn" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=SYSCALL msg=audit(1497186803.543:335): arch=c03e syscall=2 success=no exit=-13 a0=7ffc1125cfb0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null) type=PROCTITLE msg=audit(1497186803.543:335): proctitle=7472616365726F757465002D5400382E382E382E38 type=AVC msg=audit(1497186803.543:336): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_sack" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=SYSCALL msg=audit(1497186803.543:336): arch=c03e syscall=2 success=no exit=-13 a0=7ffc1125cfb0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null) type=PROCTITLE msg=audit(1497186803.543:336): proctitle=7472616365726F757465002D5400382E382E382E38 type=AVC msg=audit(1497186803.543:337): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_timestamps" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=SYSCALL msg=audit(1497186803.543:337): arch=c03e syscall=2 success=no exit=-13 a0=7ffc1125cfa0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null) type=PROCTITLE msg=audit(1497186803.543:337): proctitle=7472616365726F757465002D5400382E382E382E38 type=AVC msg=audit(1497186803.543:338): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_window_scaling" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=SYSCALL msg=audit(1497186803.543:338): arch=c03e syscall=2 success=no exit=-13 a0=7ffc1125cfa0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null) type=PROCTITLE msg=audit(1497186803.543:338): proctitle=7472616365726F757465002D5400382E382E382E38 type=AVC msg=audit(1497186803.543:339): apparmor="DENIED" operation="capable" profile="/usr/{sbin/traceroute,bin/traceroute.db}" pid=6573 comm="traceroute" capability=12 capname="net_admin" type=SYSCALL msg=audit(1497186803.543:339): arch=c03e syscall=54 success=no exit=-1 a0=4 a1=1 a2=21 a3=7ffc1125bef0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null) type=PROCTITLE msg=audit(1497186803.543:339): proctitle=7472616365726F757465002D5400382E382E382E38 This patch provides fixes for them. -- Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. === modified file 'profiles/apparmor.d/usr.sbin.traceroute' --- profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:07:26 + +++ profiles/apparmor.d/usr.sbin.traceroute 2017-06-24 15:28:54 + @@ -15,6 +15,7 @@ #include #include + deny capability net_admin, # noisy setsockopt() calls capability net_raw, network inet raw, @@ -23,6 +24,10 @@ /usr/sbin/traceroute mrix, /usr/bin/traceroute.db mrix, @{PROC}/net/route r, + @{PROC}/sys/net/ipv4/tcp_ecn r, + @{PROC}/sys/net/ipv4/tcp_sack r, + @{PROC}/sys/net/ipv4/tcp_timestamps r, + @{PROC}/sys/net/ipv4/tcp_window_scaling r, # Site-specific additions and overrides. See local/README for details. #include -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor