Ubuntu
tcpdump package

apparmor policy for tcpdump does not allow reading of "pcapng" files

Bug #2024017 reported by Chris Kuethe on 2023-06-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tcpdump (Debian)	Fix Released	Unknown	debbugs #1039993
	tcpdump (Ubuntu)	Fix Released	Low	Andreas Hasenack

Bug Description

As the title says, the stock apparmor policy for tcpdump does not allow "pcapng" files - such as those produced by wireshark - to be read. This manifests as an opaque "permission denied" message on the terminal and a log like this in dmesg:

`[239871.151443] audit: type=1400 audit(1686850017.603:206): apparmor="DENIED" operation="open" class="file" profile="tcpdump" name="/tmp/test.pcapng" pid=515786 comm="tcpdump" requested_mask="r" denied_mask="r" fsuid=0 ouid=0`

The stock policy /etc/apparmor.d/usr.bin.tcpdump contains these rules (note the lack of pcapng):

```
# for -r, -F and -w
/**.[pP][cC][aA][pP] rw,
/**.[cC][aA][pP] rw,
```

Just for fun, I linked my test file to `/tmp/test.pcap` and tcpdump was able to parse it correctly, so the problem was definitely not an invalid format.

I then added a local rule in /etc/apparmor.d/local/usr.bin/tcpdump which allowed tcpdump to read it:

```
/**.[pP][cC][aA][pP][nN][gG] rw,
```

System info:
$ lsb_release -rd
Description: Pop!_OS 22.04 LTS
Release: 22.04

$ apt-cache policy tcpdump
tcpdump:
  Installed: 4.99.1-3ubuntu0.1
  Candidate: 4.99.1-3ubuntu0.1
  Version table:
*** 4.99.1-3ubuntu0.1 500
        500 http://apt.pop-os.org/ubuntu jammy-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     4.99.1-3build2 500
        500 http://apt.pop-os.org/ubuntu jammy/main amd64 Packages

Tags:

Revision history for this message

Chris Kuethe (ckuethe) wrote on 2023-06-15:

Proposed addition to the apparmor policy Edit (320 bytes, text/plain)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2023-06-16:

The attachment "Proposed addition to the apparmor policy" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Brian Murray (brian-murray) wrote on 2023-06-30:

Thanks for the bug report and including a fix. Looking at the tcpdump package in Debian I see that the apparmor profile is also included in the Debian version of the package. Subsequently, the best thing to do would be opening a bug report or merge proposal in Debian. The Debian bug tracker only has an email interface so the easiest approach might be to create a merge proposal. You can find the upstream code here:

https://salsa.debian.org/rfrancoise/tcpdump/-/tree/master/debian

Here you'll find information about how to report bugs to Debian if you choose to go that route:

https://www.debian.org/Bugs/Reporting

Changed in tcpdump (Ubuntu):
importance:	Undecided → Low
status:	New → Confirmed

Revision history for this message

Chris Kuethe (ckuethe) wrote on 2023-06-30 (last edit on 2023-06-30):

Thanks! I'll do that

edit: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039993

Revision history for this message

Chris Kuethe (ckuethe) wrote on 2023-06-30:

MR for this change... https://salsa.debian.org/rfrancoise/tcpdump/-/merge_requests/6

Bug Watch Updater (bug-watch-updater) on 2023-07-06

Changed in tcpdump (Debian):
status:	Unknown → New

Bug Watch Updater (bug-watch-updater) on 2023-07-09

Changed in tcpdump (Debian):
status:	New → Fix Committed

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2023-07-14:

Thanks for the patch and salsa PR, Chris!

I sponsored this for Ubuntu Mantic, the current development release. I see from your bug description that you encountered this problem in jammy. Would you like to proceed with preparing an SRU for Jammy and other ubuntu releases where this problem exists?

We can guide you through the process. Since this is a very specific fix, it shouldn't be too hard. We would basically need a debdiff (or PR) for the affected ubuntu releases, and the SRU template[1] filled out in the bug description.

1. https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template