[apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor

Vincas Dargis vindrg at gmail.com
Tue Jul 4 15:22:43 UTC 2017


About net_admin: Christian Boltz suggested that [0]:
> I'd like to avoid it"

Abuout Debian/Ubuntu:

> I suspect that traceroute does just the same on Debian *but* some AppArmor 
> mediation only supported in the Ubuntu kernel blocks it there. 

Maybe.. though `strace` does not show these calls on Debian at all. It does not even try to apply these SO_RCVBUFFORCE/SO_SNDBUFFORCE options at all:

# strace -e setsockopt traceroute -T google.com >/dev/null
setsockopt(3, SOL_IP, IP_MTU_DISCOVER, [0], 4) = 0
setsockopt(3, SOL_SOCKET, SO_TIMESTAMP, [1], 4) = 0
setsockopt(3, SOL_IP, IP_RECVTTL, [1], 4) = 0
setsockopt(3, SOL_IP, IP_RECVERR, [1], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [1], 4)   = 0
setsockopt(3, SOL_IP, IP_TTL, [2], 4)   = 0
setsockopt(3, SOL_IP, IP_TTL, [3], 4)   = 0
setsockopt(3, SOL_IP, IP_TTL, [4], 4)   = 0
setsockopt(3, SOL_IP, IP_TTL, [5], 4)   = 0
setsockopt(3, SOL_IP, IP_TTL, [6], 4)   = 0
setsockopt(3, SOL_IP, IP_TTL, [7], 4)   = 0
setsockopt(3, SOL_IP, IP_TTL, [8], 4)   = 0
setsockopt(3, SOL_IP, IP_TTL, [9], 4)   = 0
setsockopt(3, SOL_IP, IP_TTL, [10], 4)  = 0
setsockopt(3, SOL_IP, IP_TTL, [11], 4)  = 0
setsockopt(3, SOL_IP, IP_TTL, [12], 4)  = 0
setsockopt(3, SOL_IP, IP_TTL, [13], 4)  = 0
setsockopt(3, SOL_IP, IP_TTL, [14], 4)  = 0
setsockopt(3, SOL_IP, IP_TTL, [15], 4)  = 0
setsockopt(3, SOL_IP, IP_TTL, [16], 4)  = 0
setsockopt(3, SOL_IP, IP_TTL, [17], 4)  = 0

Maybe I should ask traceroute upstream developers about that..?

[0] https://lists.ubuntu.com/archives/apparmor/2017-June/010785.html
-- 
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor.



More information about the AppArmor mailing list