Hello, the updated traceroute profile (especially the /proc/sys/net/ipv4/... rule) made it only into 2.11 and trunk, but it's also needed in 2.10.x which is used in openSUSE Leap 42.x.
I propose to apply this patch to the 2.10 and 2.9 branch. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1057900 ------------------------------------------------------------ revno: 3690 [merge] committer: Steve Beattie <sbeat...@ubuntu.com> branch nick: apparmor timestamp: Wed 2017-08-09 08:57:36 -0700 message: traceroute profile: support TCP SYN for probes, quite net_admin request Merge from Vincas Dargis, approved by intrigeri. fix traceroute denies in tcp mode Acked-by: Steve Beattie <st...@nxnw.org> ------------------------------------------------------------ === modified file 'profiles/apparmor.d/usr.sbin.traceroute' --- profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:07:26 +0000 +++ profiles/apparmor.d/usr.sbin.traceroute 2017-07-03 16:44:14 +0000 @@ -15,6 +15,7 @@ #include <abstractions/consoles> #include <abstractions/nameservice> + deny capability net_admin, # noisy setsockopt() calls capability net_raw, network inet raw, @@ -23,6 +24,7 @@ /usr/sbin/traceroute mrix, /usr/bin/traceroute.db mrix, @{PROC}/net/route r, + @{PROC}/sys/net/ipv4/ {tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.traceroute> Regards, Christian Boltz -- SUSE is a Linux based company with a very open/participative culture. This is not the military. [Agustin Benito Bethencourt in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
