[apparmor] IPv6 support in various profiles
John Johansen
john.johansen at canonical.com
Wed Apr 18 01:22:19 UTC 2012
On 04/05/2012 01:47 PM, Christian Boltz wrote:
> Hello,
>
sorry for the delay, very busy lately for some reason :/
> should we check all profiles if they need inet6 added?
>
yes, thanks for bringing this up
> (Note that I don't have an IPv6 setup here, so I can't test it.)
>
>
> A quick grep shows the following candidates:
>
> a) profiles/apparmor.d/
>
>> bin.ping: network inet raw,
>
> Does /bin/ping also work for ipv6 or is that the job of the separate
> /bin/ping6 binary? ping6 doesn't have a profile yet - maybe we could
> solve it by changing the profile name to /bin/ping{,6} ?
>
yes ping supports ipv6
>> sbin.klogd: network inet stream,
>
> Does klogd support IPv6?
>
not that I know of, and a quick google didn't turn up anything
>> usr.lib.dovecot.managesieve-login: network inet stream,
>
> Same question here ;-) - usr.lib.dovecot.imap-login has IPv6 support
> (see separate mail with patch some minutes ago), so chances are good.
>
err, wasn't this addressed here
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/978584
>> usr.sbin.dnsmasq: network inet raw,
>
yep
> ... and here
>
>> usr.sbin.nscd: network inet dgram,
>> usr.sbin.nscd: network inet stream,
>
yep
> ... and here
>
>> usr.sbin.ntpd: network inet dgram,
>> usr.sbin.ntpd: network inet stream,
>> usr.sbin.ntpd: network inet6 stream,
>
> ... and here - but only for inet6 dgram. Note that inet{,6} stream is
> already allowed.
>
I am not sure but would assume so
>
> b) profiles/apparmor/profiles/extras/
>
>> usr.sbin.dhcpd: network inet raw,
>
> Does dhcpd also handle IPv6 or is there a separate version?
>
>
hrmmm, I believe it can be run in either mode, so either ipv4 or ipv6.
I am not sure it can do both simultaneously.
> Fortunately most profiles get network access via abstractions, which
> already include support for IPv4 and IPv6.
>
yes, and no. Its covered a lot by default but once we tighten things
down I am not so sure it will be something we want in the base abstractions
anymore
>
>
> Regards,
>
> Christian Boltz
More information about the AppArmor
mailing list