[apparmor] [patch] dnsmasq profile - allow to read /proc/sys/...../mtu
Christian Boltz
apparmor at cboltz.de
Fri Sep 5 23:01:32 UTC 2014
Hello,
I received the following patch from Jim Fehlig:
References:
https://bugzilla.novell.com/show_bug.cgi?id=892374 (non-public)
https://build.opensuse.org/request/show/247613
https://build.opensuse.org/request/show/247625
Note: with the current directory layout, ..../conf/*/mtu would be
enough, but Jim proposes ** to make it future-proof (see the discussion
on https://build.opensuse.org/request/show/247613 )
Opinions on * vs. **?
I also propose this patch for the 2.8 branch.
Allow dnsmasq read access to IPv6 config
The IPv6 Neighbor Discovery protocol (RFC 2461) suggests
implementations provide MTU in Router Advertisement (RA)
messages. From section 4.2
MTU SHOULD be sent on links that have a variable MTU
(as specified in the document that describes how to
run IP over the particular link type). MAY be sent
on other links.
dnsmasq supports this option and should have read access
to an interface's MTU.
Index: apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
===================================================================
--- apparmor-2.8.3.orig/profiles/apparmor.d/usr.sbin.dnsmasq
+++ apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -38,6 +38,10 @@
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server
usage
+ # access to iface mtu needed for Router Advertisement messages in
IPv6
+ # Neighbor Discovery protocol (RFC 2461)
+ @{PROC}/sys/net/ipv6/conf/**/mtu r,
+
# for the read-only TFTP server
@{TFTP_DIR}/ r,
@{TFTP_DIR}/** r,
Regards,
Christian Boltz
--
I have to trust my government, even if I don't.
[Carlos E. R. in opensuse-factory]
More information about the AppArmor
mailing list