AppArmor

Merge lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor/2.12

  1. fix_traceroute_tcp
  2. Merge into master
Proposed by Vincas Dargis
Status: Merged
Merged at revision: 3690
Proposed branch: lp:~talkless/apparmor/fix_traceroute_tcp
Merge into: lp:apparmor/2.12
Diff against target: 19 lines (+2/-0)
1 file modified
profiles/apparmor.d/usr.sbin.traceroute (+2/-0)
To merge this branch: bzr merge lp:~talkless/apparmor/fix_traceroute_tcp
Reviewer Review Type Date Requested Status
Steve Beattie Approve
intrigeri Approve
Review via email: mp+326260@code.launchpad.net

Description of the change

Running `sudo traceroute -T 8.8.8.8` (with TCP SYN mode, root perms. are needed) on Ubuntu 17.04 will produce DENIED messages:

type=AVC msg=audit(1497186803.543:335): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_ecn" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:335): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfb0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:335): proctitle=7472616365726F757465002D5400382E382E382E38

type=AVC msg=audit(1497186803.543:336): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_sack" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:336): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfb0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:336): proctitle=7472616365726F757465002D5400382E382E382E38

type=AVC msg=audit(1497186803.543:337): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_timestamps" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:337): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfa0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:337): proctitle=7472616365726F757465002D5400382E382E382E38

type=AVC msg=audit(1497186803.543:338): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_window_scaling" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:338): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfa0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:338): proctitle=7472616365726F757465002D5400382E382E382E38

type=AVC msg=audit(1497186803.543:339): apparmor="DENIED" operation="capable" profile="/usr/{sbin/traceroute,bin/traceroute.db}" pid=6573 comm="traceroute" capability=12 capname="net_admin"
type=SYSCALL msg=audit(1497186803.543:339): arch=c000003e syscall=54 success=no exit=-1 a0=4 a1=1 a2=21 a3=7ffc1125bef0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:339): proctitle=7472616365726F757465002D5400382E382E382E38

This patch provides fixes for them.

To post a comment you must log in.
Revision history for this message
intrigeri (intrigeri) wrote :

Hi Vincas! Thanks for this merge request. I could reproduce the problem it's meant to fix, and I agree it makes sense to fix it. Two request though:

1. could you please merge the 4 @{PROC} lines e.g.:

  @{PROC}/sys/net/ipv4/tcp_{ecn,sack,timestamps,window_scaling} r,

2. wrt. "deny capability net_admin": on Debian sid (traceroute 1:2.1.0-2), I can't reproduce the issue it's meant to fix; which version of traceroute and OS are you using? Any specific local configuration that might come into play?

review: Needs Fixing
lp:~talkless/apparmor/fix_traceroute_tcp updated
3663. By Vincas Dargis

fix traceroute denies in tcp mode

Revision history for this message
Vincas Dargis (talkless) wrote :

1. Done.

2. I have just reproduced it on:
Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04).
Ubuntu 17.04 LiveCD on my physical machine.

I, too, *cannot* reproduce it on Debian Sid for some unknown reason.

strace shows failed calls on Ubuntu:

setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)

Changing SO_RCVBUFFORCE and SO_SNDBUFFORCE needs net_admin cap.

If I set:

sudo sysctl net.core.wmem_max=8388608
sudo sysctl net.core.wmem_default=8388608

It no longer asks for net_admin.

What is strange though, that Debian and Ubuntu has the same defaults (212992), though it seems that only on Ubuntu traceroute tries to increase that option...

Maybe I should ask about it Ubuntu traceroute maintainer..?

Revision history for this message
intrigeri (intrigeri) wrote :

> 1. Done.

Reviewed, looks good. Thanks! If this was all this merge request was about, I would approve the merge as-is.

> 2. I have just reproduced it on:
> Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04).
> Ubuntu 17.04 LiveCD on my physical machine.
>
> I, too, *cannot* reproduce it on Debian Sid for some unknown reason.
>
> strace shows failed calls on Ubuntu:
>
> setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation
> not permitted)
> […]
> What is strange though, that Debian and Ubuntu has the same defaults (212992),
> though it seems that only on Ubuntu traceroute tries to increase that
> option...

I suspect that traceroute does just the same on Debian *but* some AppArmor mediation only supported in the Ubuntu kernel blocks it there. So the question is: to quiet the logs shall we allow or forbid it? In other words, what's the drawback of forbidding traceroute from performing these operations?

review: Needs Information
Revision history for this message
Vincas Dargis (talkless) wrote :

About net_admin: Christian Boltz suggested that [0]:
> I'd like to avoid it"

Abuout Debian/Ubuntu:

> I suspect that traceroute does just the same on Debian *but* some AppArmor
> mediation only supported in the Ubuntu kernel blocks it there.

Maybe.. though `strace` does not show these calls on Debian at all. It does not even try to apply these SO_RCVBUFFORCE/SO_SNDBUFFORCE options at all:

# strace -e setsockopt traceroute -T google.com >/dev/null
setsockopt(3, SOL_IP, IP_MTU_DISCOVER, [0], 4) = 0
setsockopt(3, SOL_SOCKET, SO_TIMESTAMP, [1], 4) = 0
setsockopt(3, SOL_IP, IP_RECVTTL, [1], 4) = 0
setsockopt(3, SOL_IP, IP_RECVERR, [1], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [1], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [2], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [3], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [4], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [5], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [6], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [7], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [8], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [9], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [10], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [11], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [12], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [13], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [14], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [15], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [16], 4) = 0
setsockopt(3, SOL_IP, IP_TTL, [17], 4) = 0

Maybe I should ask traceroute upstream developers about that..?

[0] https://lists.ubuntu.com/archives/apparmor/2017-June/010785.html

Revision history for this message
Vincas Dargis (talkless) wrote :

I've sent message to traceroute-devel:
https://sourceforge.net/p/traceroute/mailman/message/35927395/

Revision history for this message
Seth Arnold (seth-arnold) wrote :

On Mon, Jul 03, 2017 at 04:59:36PM -0000, Vincas Dargis wrote:
> sudo sysctl net.core.wmem_max=8388608
> sudo sysctl net.core.wmem_default=8388608
>
> It no longer asks for net_admin.

Hrm, I wonder if these defaults make sense to apply to e.g. Ubuntu or
Debian as a whole, just to avoid this silly net_admin that every process
wants these days.

net_admin grants a lot of power, but just growing these windows is surely
a denial of service attack vector at the worst.

Thanks

Revision history for this message
Vincas Dargis (talkless) wrote :

Interestingly, traceroute developer does not recall [0] changing these values... Could it be Ubuntu-specific patch?

[0] https://sourceforge.net/p/traceroute/mailman/message/35927818/

Revision history for this message
Vincas Dargis (talkless) wrote :

I've registered Ubuntu traceroute issue:
https://bugs.launchpad.net/ubuntu/+source/traceroute/+bug/1703649

Revision history for this message
intrigeri (intrigeri) wrote :

I'm fine with the current state of this MR, please merge :)

review: Approve
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks! Merged to trunk and 2.11:

http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3690
http://bazaar.launchpad.net/~apparmor-dev/apparmor/2.11/revision/3670

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'profiles/apparmor.d/usr.sbin.traceroute'
2--- profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:07:26 +0000
3+++ profiles/apparmor.d/usr.sbin.traceroute 2017-07-03 16:44:51 +0000
4@@ -15,6 +15,7 @@
5 #include <abstractions/consoles>
6 #include <abstractions/nameservice>
7
8+ deny capability net_admin, # noisy setsockopt() calls
9 capability net_raw,
10
11 network inet raw,
12@@ -23,6 +24,7 @@
13 /usr/sbin/traceroute mrix,
14 /usr/bin/traceroute.db mrix,
15 @{PROC}/net/route r,
16+ @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
17
18 # Site-specific additions and overrides. See local/README for details.
19 #include <local/usr.sbin.traceroute>

Subscribers

People subscribed via source and target branches