With help of AppArmor on 17.04 and 17.10 I've discovered that traceroute needs net_admin capabilities.
My plan is to update AppArmor profile to fix various DENIED messages in syslog/audit for traceroute, though I am not sure about allowing, or denying, net_admin capability.
Looks like traceroute tries to set SO_RCVBUFFORCE and SO_SNDBUFFORCE:
What is interesting, that traceroute developer does not recall changing these values [0]. On Debian Sid and OpenSuse Tumbleween this issue does not reproduce either.
Could it be some Ubuntu-specific patch in the works? It seems that traceroute works OK without net_admin...
With help of AppArmor on 17.04 and 17.10 I've discovered that traceroute needs net_admin capabilities.
My plan is to update AppArmor profile to fix various DENIED messages in syslog/audit for traceroute, though I am not sure about allowing, or denying, net_admin capability.
Looks like traceroute tries to set SO_RCVBUFFORCE and SO_SNDBUFFORCE:
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
What is interesting, that traceroute developer does not recall changing these values [0]. On Debian Sid and OpenSuse Tumbleween this issue does not reproduce either.
Could it be some Ubuntu-specific patch in the works? It seems that traceroute works OK without net_admin...
Thanks!
[0] https:/ /sourceforge. net/p/tracerout e/mailman/ message/ 35927818/