Public bug reported: With help of AppArmor on 17.04 and 17.10 I've discovered that traceroute needs net_admin capabilities.
My plan is to update [0] AppArmor profile to fix various DENIED messages in syslog/audit for traceroute, though I am not sure about allowing, or denying, net_admin capability. Looks like traceroute tries to set SO_RCVBUFFORCE and SO_SNDBUFFORCE: setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) What is interesting, that traceroute developer does not recall changing these values [1]. On Debian Sid and OpenSuse Tumbleweed this issue does not reproduce either. Could it be some Ubuntu-specific patch in the works? It seems that traceroute works OK without net_admin... Thanks! [0] https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 [1] https://sourceforge.net/p/traceroute/mailman/message/35927818/ ** Affects: traceroute (Ubuntu) Importance: Undecided Status: New ** Description changed: With help of AppArmor on 17.04 and 17.10 I've discovered that traceroute needs net_admin capabilities. - My plan is to update AppArmor profile to fix various DENIED messages in - syslog/audit for traceroute, though I am not sure about allowing, or + My plan is to update [0] AppArmor profile to fix various DENIED messages + in syslog/audit for traceroute, though I am not sure about allowing, or denying, net_admin capability. Looks like traceroute tries to set SO_RCVBUFFORCE and SO_SNDBUFFORCE: setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) What is interesting, that traceroute developer does not recall changing - these values [0]. On Debian Sid and OpenSuse Tumbleween this issue does + these values [1]. On Debian Sid and OpenSuse Tumbleween this issue does not reproduce either. Could it be some Ubuntu-specific patch in the works? It seems that traceroute works OK without net_admin... Thanks! - [0] https://sourceforge.net/p/traceroute/mailman/message/35927818/ + [0] https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 + [1] https://sourceforge.net/p/traceroute/mailman/message/35927818/ ** Description changed: With help of AppArmor on 17.04 and 17.10 I've discovered that traceroute needs net_admin capabilities. My plan is to update [0] AppArmor profile to fix various DENIED messages in syslog/audit for traceroute, though I am not sure about allowing, or denying, net_admin capability. Looks like traceroute tries to set SO_RCVBUFFORCE and SO_SNDBUFFORCE: setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) What is interesting, that traceroute developer does not recall changing - these values [1]. On Debian Sid and OpenSuse Tumbleween this issue does + these values [1]. On Debian Sid and OpenSuse Tumbleweed this issue does not reproduce either. Could it be some Ubuntu-specific patch in the works? It seems that traceroute works OK without net_admin... Thanks! [0] https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 [1] https://sourceforge.net/p/traceroute/mailman/message/35927818/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1703649 Title: Traceroute needs net_admin capability for unknown reason To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/traceroute/+bug/1703649/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
