[Bug 2052493] Re: apparmor profile does not allow for rotating savefiles using the -C and -W options

Sergio Durigan Junior 2052493 at bugs.launchpad.net
Thu Feb 8 20:27:43 UTC 2024 

Hi Georgia,

Thank you for providing a fix for the bug.

I'd like to make a few recommendations for the next time.  Hopefully
these will help you better understand and navigate the sponsorship
process :-).

1) Providing a PPA with the proposed package built goes a long way to
help the sponsor verify the changes.  If the package has DEP8 tests,
providing a log of a DEP8 test run is also very welcome.

2) I noticed that you targeted jammy-security in the Jammy debdiff.  I
believe this may have been a typo/thinko, but just in case: if an upload
needs to go to the -security pocket, then the process is a bit
different.  You need to contact the Security team, and they will perform
their own checks.  Also, uploads to the -security pocket don't go
through the normal SRU process, and can't be sponsored by Ubuntu
Sponsors.

3) When you have the time, I'd recommend learning about the git-ubuntu
workflow.  I personally don't mind sponsoring debdiffs, but I've noticed
several people using git-ubuntu lately, and I think it can make the
process a bit easier for the contributor.


Otherwise, the debdiffs are great.  I just had to adjust the changelog message (the path for the file being changed is debian/usr.{s,}bin.tcpdump), and the target pocket for Jammy.

Uploaded.

Thanks!

** Also affects: tcpdump (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: tcpdump (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: tcpdump (Ubuntu Focal)
       Status: New => In Progress

** Changed in: tcpdump (Ubuntu Jammy)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2052493

Title:
  apparmor profile does not allow for rotating savefiles using the -C
  and -W options

Status in tcpdump package in Ubuntu:
  Fix Released
Status in tcpdump source package in Focal:
  In Progress
Status in tcpdump source package in Jammy:
  In Progress

Bug description:
  [ Impact ]

  AppArmor was denying the creation of .pcap files ending in digits
  which is required by the -W parameter of tcpdump. This issue had
  already been fixed upstream
  https://salsa.debian.org/rfrancoise/tcpdump/-/commit/7dcc3736cd19f2ae7ee45b7835646ab50437980a
  and currently only affect focal and jammy.

  I also added the permission for reading and writing of .cap and .pcapng files which were already allowed upstream as well.
  The debdiffs for both focal and jammy are in the comments

  [ Test Plan ]

  mkdir /test
  chmod 777 /test
  tcpdump -Z root -ni any -s 0 -w /test/pcap.pcap -C 500 -W 500 host 1.1.1.1

  Result:
  tcpdump: /test/pcap.pcap000: Permission denied

  Expected result:
  tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes

  The cause is the apparmor profile: /etc/apparmor.d/usr.sbin.tcpdump
    # for -r, -F and -w
    /**.[pP][cC][aA][pP] rw,

  [ Where problems could occur ]

  The risk of allowing read and write to .pcap+digits is very minor
  considering that reading and writing to .pcap is already allowed by
  policy. Additionally, these rules are a requirement for the
  application to work properly.

  [ Other Info ]

  Upstream commits:
  https://salsa.debian.org/rfrancoise/tcpdump/-/commit/8763a4461751b2bf746d5f0ce7be253c44b6ac7f
  https://salsa.debian.org/rfrancoise/tcpdump/-/commit/7dcc3736cd19f2ae7ee45b7835646ab50437980a
  https://salsa.debian.org/rfrancoise/tcpdump/-/commit/c58462999b5e66a4564ec81062b049c45933bc8b

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tcpdump/+bug/2052493/+subscriptions

More information about the Ubuntu-sponsors mailing list