On Tue, Sep 12, 2017 at 06:03:24PM +0200, Christian Boltz wrote: > Hello, > > the updated traceroute profile (especially the /proc/sys/net/ipv4/... > rule) made it only into 2.11 and trunk, but it's also needed in 2.10.x > which is used in openSUSE Leap 42.x. > > I propose to apply this patch to the 2.10 and 2.9 branch.
Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > > References: https://bugzilla.opensuse.org/show_bug.cgi?id=1057900 > > > ------------------------------------------------------------ > revno: 3690 [merge] > committer: Steve Beattie <sbeat...@ubuntu.com> > branch nick: apparmor > timestamp: Wed 2017-08-09 08:57:36 -0700 > message: > traceroute profile: support TCP SYN for probes, quite net_admin request > > Merge from Vincas Dargis, approved by intrigeri. > fix traceroute denies in tcp mode > > Acked-by: Steve Beattie <st...@nxnw.org> > ------------------------------------------------------------ > > > === modified file 'profiles/apparmor.d/usr.sbin.traceroute' > --- profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:07:26 +0000 > +++ profiles/apparmor.d/usr.sbin.traceroute 2017-07-03 16:44:14 +0000 > @@ -15,6 +15,7 @@ > #include <abstractions/consoles> > #include <abstractions/nameservice> > > + deny capability net_admin, # noisy setsockopt() calls > capability net_raw, > > network inet raw, > @@ -23,6 +24,7 @@ > /usr/sbin/traceroute mrix, > /usr/bin/traceroute.db mrix, > @{PROC}/net/route r, > + @{PROC}/sys/net/ipv4/ > {tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r, > > # Site-specific additions and overrides. See local/README for details. > #include <local/usr.sbin.traceroute> > >
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
