Ubuntu
tcpdump package

apparmor denies -z option. Number of loaded profiles grows.

Bug #722856 reported by Doug Smythies
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
tcpdump (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: tcpdump

The default apparmor profile does not allow the use of the -z option in tcpdump.
O.K., so one can work around it via setting that profile to "complain" mode, however then the number of loaded profiles will grow with each loop. It appears as though the profiles are not flushed upon termination of the script or program that the -z option executed.

OS Version: Ubuntu server 64 bit 10.10

tcpdump:
  Installed: 4.1.1-1ubuntu2
  Candidate: 4.1.1-1ubuntu2
  Version table:
 *** 4.1.1-1ubuntu2 0
        500 http://ca.archive.ubuntu.com/ubuntu/ maverick/main amd64 Packages
        100 /var/lib/dpkg/status

Note: I could not use apport, as I have no GUI.

Tags: apparmor

Related branches

lp:ubuntu/oneiric/tcpdump
Revision history for this message
Doug Smythies (dsmythies) wrote :
Revision history for this message
Doug Smythies (dsmythies) wrote :
Revision history for this message
Doug Smythies (dsmythies) wrote :

Clarification: I don't necessarily expect to be able to have apparmor allow me to run a script from my own directory without my editing the local profile. However, and there is an example buried in the audit log, I do expect it to allow me to run gzip from the default configuration.

The commands I was using:

sudo tcpdump -i eth1 -w 'eth1-%F-%H-%M-%S.bin' -G 300 -z /home/doug/scripts/packet_post_processor

sudo tcpdump -i eth1 -w 'eth1-%F-%H-%M-%S.bin' -G 300 -z gzip

Revision history for this message
Simon Déziel (sdeziel) wrote :

I was caught by this during a long capture and eventually ran out of space :(

I think the default profile should authorize the invocation of common compression tools (gzip, bzip2). If someone needs a special post processing script/binary they should customize /etc/apparmor.d/local/usr.sbin.tcpdump to suit their needs.

I would really appreciate a SRU for Lucid that is affected too. Should I provide debdiffs to facilitate this ?

Changed in tcpdump (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in tcpdump (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tcpdump - 4.1.1-2ubuntu2

---------------
tcpdump (4.1.1-2ubuntu2) oneiric; urgency=low

  * debian/usr.sbin.tcpdump:
    - allow gzip and bzip2 (LP: #722856)
    - allow read and write to .pcap files
    - allow read of /var/log/snort/*log* files
  * debian/patches/90_man_apparmor.diff: update man page to reference AppArmor
    confinement
 -- Jamie Strandboge <email address hidden> Wed, 22 Jun 2011 09:13:45 -0500

Changed in tcpdump (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Doug Smythies (dsmythies) wrote :

Thank you for the fix for this. I would very much like to try it, however from observing the package dependencies it seems that I can not (fix depends on libssl1.0.0 and Ubuntu 10.10 has libssl0.9.8m-1). As I have for many months now, I will continue to run with apparmor for tcpdump disabled, and come back to this in the future.

Revision history for this message
Doug Smythies (dsmythies) wrote :

On Ubuntu forums I found a link to Oneiric Ocelot Alpha 2 (server). So I tired it as a virtual machine. It had the above mentioned revised tcpdump package. As expected, the issues of this problem report all worked fine. Thanks again.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Doug, all you really need is the /etc/apparmor.d/usr.sbin.tcpdump from the Oneiric package. It should work fine in earlier releases.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.