[apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor

Vincas Dargis vindrg at gmail.com
Mon Jul 3 16:59:36 UTC 2017 

1. Done.

2. I have just reproduced it on:
Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04).
Ubuntu 17.04 LiveCD on my physical machine.

I, too, *cannot* reproduce it on Debian Sid for some unknown reason.

strace shows failed calls on Ubuntu:

setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) 

Changing SO_RCVBUFFORCE and SO_SNDBUFFORCE needs net_admin cap.

If I set:

sudo sysctl net.core.wmem_max=8388608                                                                          
sudo sysctl net.core.wmem_default=8388608

It no longer asks for net_admin.

What is strange though, that Debian and Ubuntu has the same defaults (212992), though it seems that only on Ubuntu traceroute tries to increase that option...

Maybe I should ask about it Ubuntu traceroute maintainer..?
-- 
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor.

More information about the AppArmor mailing list