Ubuntu
tcpdump package

tcpdump 4.0.0-6ubuntu3 denied read access to ethers(5) by apparmor profile

Bug #660904 reported by Trent W. Buck
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tcpdump (Ubuntu)
Fix Released
Low
Jamie Strandboge

Bug Description

 affects ubuntu/tcpdump
 importance low

While debugging the configuration of my Ubuntu router, I noticed the
following in dmesg:

[ 2410.773511] type=1503 audit(1286949714.517:12): operation="open" pid=1228 parent=1111 profile="/usr/sbin/tcpdump" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/ethers"
[92714.036092] type=1503 audit(1287040017.780:13): operation="open" pid=19770 parent=19592 profile="/usr/sbin/tcpdump" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/ethers"

I don't know why tcpdump *wants* to access ethers(5); probably to
supplement the in-kernel neighbours (ARP) table.

Note that out-of-the-box there is no /etc/ethers, which is probably
why nobody noticed this before. I use ethers(5) to tell dnsmasq which
MACs get "fixed" IPs via DHCP allocation.

Tags: apparmor

Related branches

lp:ubuntu/natty/tcpdump
Marc Deslauriers (mdeslaur)
tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Trent, thanks for reporting a bug and helping to make Ubuntu better.

Can you do the following:
1. add this to /etc/apparmor.d/usr.sbin.tcpdump:
  /etc/ethers r,

2. then perform:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.tcpdump

and the report back if it fixes the issue for you.

Changed in tcpdump (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
nutznboltz (nutznboltz-deactivatedaccount) wrote :

Trent W. Buck writes "I don't know why tcpdump *wants* to access ethers(5)"

Under certain conditions the init_etherarray() function which populates address to name tables will read from /etc/ethers in an effort to be more efficient than using NIS (via /etc/nsswitch.conf.)

There is a function in tcpdump called "etheraddr_string()" which constructs a formatted string containing link-level information (i.e. MAC addresses) which is used in many places in the tcpdump code that display link-level information. If data is available that associates given names to link-level addresses etheraddr_string() can optionally use that information. That is where the tables (if any) built by init_etherarray() are (mostly?) used.

Revision history for this message
nutznboltz (nutznboltz-deactivatedaccount) wrote :

Before updating tcpdump apparmor configuration log messages appear when tcpdump is invoked:

$ sudo tcpdump -i eth1

Oct 26 13:07:45 fw-test kernel: [11097.942676] device eth1 entered promiscuous mode
Oct 26 13:07:45 fw-test kernel: [11097.949899] type=1503 audit(1288112865.271:9): operation="open" pid=1991 parent=1969 profile="/usr/sbin/tcpdump" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/ethers"
Oct 26 13:07:57 fw-test kernel: [11109.844162] type=1503 audit(1288112877.167:10): operation="open" pid=1991 parent=1969 profile="/usr/sbin/tcpdump" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/ethers"

Updated tcpdump apparmor configuration and those messages do not occur

$ diff -u usr.sbin.tcpdump.orig /etc/apparmor.d/usr.sbin.tcpdump
--- usr.sbin.tcpdump.orig 2010-10-26 14:52:12.647569659 -0400
+++ /etc/apparmor.d/usr.sbin.tcpdump 2010-10-26 14:53:20.379558668 -0400
@@ -25,6 +25,9 @@
   /dev/bus/usb/ r,
   /dev/bus/usb/** r,

+ # for -e (etc.)
+ /etc/ethers r,
+
   # for -F and -w
   audit deny @{HOME}/.* mrwkl,
   audit deny @{HOME}/.*/ rw,

$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.tcpdump

$ sudo tcpdump -i eth1

Oct 26 14:56:41 fw-test kernel: [17634.298002] device eth1 entered promiscuous mode
[no additional messages in /var/log/messages]

Jamie Strandboge (jdstrand)
Changed in tcpdump (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tcpdump - 4.1.1-1ubuntu3

---------------
tcpdump (4.1.1-1ubuntu3) natty; urgency=low

  * debian/usr.sbin.tcpdump: allow read access to /etc/ethers (LP: #660904)
 -- Jamie Strandboge <email address hidden> Fri, 07 Jan 2011 12:56:05 -0600

Changed in tcpdump (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.