Fix tcpdump report error when tacacs enabled.

[liuh-80]

Fix tcpdump report error when tacacs enabled.

Why I did it

Fix tcpdump report error when tacacs enabled:
Sep 1 09:25:18.189395 vlab-01 ERR tcpdump: nss_tacplus: /etc/tacplus_nss.conf fopen failed
Sep 1 09:25:18.189606 vlab-01 ERR tcpdump: nss_tacplus: bad config or server line for nss_tacplus

This is because debian add a patch create AppArmor profile for resource access control. The profile need update to allow tcpdump access /etc/tacplus_nss.conf.

Work item tracking

• Microsoft ADO: 17667308

How I did it

Modify tcpdump AppArmor profile, add new line to allow tcpdump access TACACS config file:

/etc/tacplus_nss.conf r,

How to verify it

Pass all UT.
Manually verify error fixed.

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111
• 202205
• 202211
• 202305

Tested branch (Please provide the tested image version)

• SONiC.master-16372.360223-d5d6c64c5
• SONiC.202205-16610.367814-d52a71b48
• SONiC.202211-16611.367823-11a8b8d55
• SONiC.202305.388563-584c448b2

Description for the changelog

Fix tcpdump report error when tacacs enabled.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

[lguohan]

is this tested on 202205 branch?

[lguohan]

why tcpdump needs access to /etc/tacplus_nss.conf?

[lguohan]

the apparmor has local/usr.bin.tcpdump to allow local customization, suggest to use that mechanism instead of modifying this file which is a little bit fragile.

[lguohan]

suggest to override /etc/apparmor.d/local/usr.bin.tcpdump

[liuh-80]

is this tested on 202205 branch?

Yes, this tested on 202205 branch by copy the modified profile.

[liuh-80]

tacplus_nss

The code of tcpdump will invoke 'getpwnam' API, and nss-tacplus plugin hook this API for TACACS authentication.

[liuh-80]

suggest to override /etc/apparmor.d/local/usr.bin.tcpdump

Fixed, validate with new image again and confirm the issue fixed.

[lguohan]

there is local file why to add some files in the buildimage, this does not seem to be the standard way.

[liuh-80]

This code is modifying the local file: '/etc/apparmor.d/local/usr.bin.tcpdump'
The local file been created by tcpdump install.

[liuh-80]

@lguohan , Could you please check this PR again? I reply your comments, current code does not add new file in buildimage, when install tcpdump, the package will install a local apparmer profile, and current code will check and modify the local apparmer profile.

[lguohan]

the local apparmer profile is empty, right?

it is better to make the local file more deterministic

suggest to use this approach.

sudo cp files/dhcp/rfc3442-classless-routes $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d

[liuh-80]

@lguohan , thanks, fixed according to your suggestion, please check.

[qiluo-msft]

@liuh-80 As the process, if you require backport to 202205, please make sure it could be clean cherry-pick to 202205 locally, test it locally, and add the version string into PR description "Tested branch (Please provide the tested image version)". This PR description process only applies to the earliest branch you want to backport.

---

In reply to: 1712434300

[liuh-80]

@liuh-80 As the process, if you require backport to 202205, please make sure it could be clean cherry-pick to 202205 locally, test it locally, and add the version string into PR description "Tested branch (Please provide the tested image version)". This PR description process only applies to the earliest branch you want to backport.

In reply to: 1712434300

Fixed, verify this PR can clean cherry-pick to 202205, also tested image version updated.

[StormLiangMS]

@liuh-80 have you tested with 202305? Could you update in the description?

[liuh-80]

@liuh-80 have you tested with 202305? Could you update in the description?

Verified with SONiC.202305.388563-584c448b2, PR description updated.

[mssonicbld]

Cherry-pick PR to 202305: #17077