[apparmor] [patch] update usr.sbin.traceroute profile for TCP mode
Christian Boltz
apparmor at cboltz.de
Sun Jun 11 13:45:26 UTC 2017
Hello,
Am Sonntag, 11. Juni 2017, 15:18:16 CEST schrieb Vincas Dargis:
> Running `sudo traceroute -T 8.8.8.8` (with TCP SYN mode, root perms.
> are needed) on Ubuntu 17.04 will produce DENIED messages:
> This patch provides fixes for them:
>
> [ 01-traceroute-tcp-mode.diff ]
>
> === modified file 'profiles/apparmor.d/usr.sbin.traceroute'
> --- profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:07:26 +0000
> +++ profiles/apparmor.d/usr.sbin.traceroute 2017-06-11 13:06:02 +0000
> @@ -15,6 +15,7 @@
> #include <abstractions/consoles>
> #include <abstractions/nameservice>
>
> + capability net_admin,
> capability net_raw,
>
> network inet raw,
> @@ -23,6 +24,10 @@
> /usr/sbin/traceroute mrix,
> /usr/bin/traceroute.db mrix,
> @{PROC}/net/route r,
> + @{PROC}/sys/net/ipv4/tcp_ecn r,
> + @{PROC}/sys/net/ipv4/tcp_sack r,
> + @{PROC}/sys/net/ipv4/tcp_timestamps r,
> + @{PROC}/sys/net/ipv4/tcp_window_scaling r,
Just tested on openSUSE Tumbleweed: I can reproduce the
/proc/sys/net/ipv4/tcp_* reads, so the @{PROC} rules get my
Acked-by: Christian Boltz <apparmor at cboltz.de>
However, I can't reproduce the denial for capability net_admin.
net_admin allows quite a lot (interface configuration, set promiscous
mode etc. - see man 7 capabilities), so I'd like to avoid it.
Is capability net_admin really needed (as in "traceroute breaks without
it") or does it work without it? If so, a deny capability net_admin,
rule might be an option.
Regards,
Christian Boltz
--
> |``All mail clients suck. This one just sucks less.'' -me, circa 1995
> Diese Aussage ist heute gueltiger denn je! ("me" ist Michael Elkins!).
Pah. Mutt kann ja nichtmal die einfachsten Scriptwürmer interpretieren.
Geh mir da wech mit. [> David Haller und Ratti in fontlinge-devel]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170611/17c6d930/attachment.pgp>
More information about the AppArmor
mailing list