[apparmor] [patch] update usr.sbin.traceroute profile for TCP mode
Vincas Dargis
vindrg at gmail.com
Sun Jun 11 17:29:18 UTC 2017
2017.06.11 16:45, Christian Boltz rašė:
> Is capability net_admin really needed (as in "traceroute breaks without
> it") or does it work without it? If so, a deny capability net_admin,
> rule might be an option.
It does seems to work fine with `deny capability net_admin,`. With denies enabled, strace displays these failures:
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
Looks like culprit is SO_SNDBUFFORCE and SO_RCVBUFFORCE, used for overriding rlimits I guess.
On Ubuntu 17.04:
# sysctl -a | fgrep -e rmem_max -e wmem_max
net.core.rmem_max = 212992
net.core.wmem_max = 212992
Not sure how critical it is.
More information about the AppArmor
mailing list