[apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
intrigeri
intrigeri at boum.org
Tue Jul 4 06:30:29 UTC 2017
Review: Needs Information
> 1. Done.
Reviewed, looks good. Thanks! If this was all this merge request was about, I would approve the merge as-is.
> 2. I have just reproduced it on:
> Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04).
> Ubuntu 17.04 LiveCD on my physical machine.
>
> I, too, *cannot* reproduce it on Debian Sid for some unknown reason.
>
> strace shows failed calls on Ubuntu:
>
> setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation
> not permitted)
> […]
> What is strange though, that Debian and Ubuntu has the same defaults (212992),
> though it seems that only on Ubuntu traceroute tries to increase that
> option...
I suspect that traceroute does just the same on Debian *but* some AppArmor mediation only supported in the Ubuntu kernel blocks it there. So the question is: to quiet the logs shall we allow or forbid it? In other words, what's the drawback of forbidding traceroute from performing these operations?
--
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor.
More information about the AppArmor
mailing list