[apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
Vincas Dargis
vindrg at gmail.com
Sat Jun 24 15:29:26 UTC 2017
Vincas Dargis has proposed merging lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Running `sudo traceroute -T 8.8.8.8` (with TCP SYN mode, root perms. are needed) on Ubuntu 17.04 will produce DENIED messages:
type=AVC msg=audit(1497186803.543:335): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_ecn" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:335): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfb0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:335): proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:336): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_sack" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:336): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfb0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:336): proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:337): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_timestamps" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:337): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfa0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:337): proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:338): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_window_scaling" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:338): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfa0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:338): proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:339): apparmor="DENIED" operation="capable" profile="/usr/{sbin/traceroute,bin/traceroute.db}" pid=6573 comm="traceroute" capability=12 capname="net_admin"
type=SYSCALL msg=audit(1497186803.543:339): arch=c000003e syscall=54 success=no exit=-1 a0=4 a1=1 a2=21 a3=7ffc1125bef0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:339): proctitle=7472616365726F757465002D5400382E382E382E38
This patch provides fixes for them.
--
Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: review-diff.txt
Type: text/x-diff
Size: 779 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170624/290b68ad/attachment.diff>
More information about the AppArmor
mailing list