How can I run tcpdump from a Python script without AppArmor complaining?
Well this should be a start, if you haven't already browsed it: https://help.ubuntu.com/community/AppArmor
Related videos on Youtube
19 : 01
23 : 20
01 : 50
02 : 49
08 : 23
sk29910
Updated on September 18, 2022Comments
-
sk29910 over 1 year
For inconvenient reasons going beyond the scope of this question, I have to run
tcpdumpfrom within a Python script. I currently just callsubprocess.Popen(['tcpdump', ...)and everything works just fine. However, when I use tools like pyInstaller to package the script into an executable, and run it (as root), I get the following error:tcpdump: error while loading shared libraries: libcrypto.so.0.9.8: "failed to map segment from shared object: Permission denied"As I found out, this is AppArmor whining. Now, I can easily replace my call to tcpdump with the following:
subprocess.call(['aa-complain', '/usr/sbin/tcpdump']) pcap = subprocess.Popen(['tcpdump', ...) subprocess.call(['aa-enforce', '/usr/sbin/tcpdump'])Now it prints two info lines (about changing into complain/enforce mode), and runs tcpdump without further complaints.
The people who will run this script will run it as root when they want to do packet captures, so I don't see how this is a security problem. At the same time, the above seems hackish to me. So to the AppArmor experts among you: is this the canonical way to deal with it?
PS. I'm also thankful for links to a good, quick introduction to AppArmor in general, since this is the first time I'm encountering this.