2017.06.11 16:45, Christian Boltz rašė:
Is capability net_admin really needed (as in "traceroute breaks without it") or does it work without it? If so, a deny capability net_admin, rule might be an option.
It does seems to work fine with `deny capability net_admin,`. With denies enabled, strace displays these failures: setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) Looks like culprit is SO_SNDBUFFORCE and SO_RCVBUFFORCE, used for overriding rlimits I guess. On Ubuntu 17.04: # sysctl -a | fgrep -e rmem_max -e wmem_max net.core.rmem_max = 212992 net.core.wmem_max = 212992 Not sure how critical it is. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor