[apparmor] [patch] dnsmasq profile - allow to read /proc/sys/...../mtu

Seth Arnold seth.arnold at canonical.com
Sat Sep 6 00:28:14 UTC 2014 

On Sat, Sep 06, 2014 at 01:01:32AM +0200, Christian Boltz wrote:
> Hello,
> 
> I received the following patch from Jim Fehlig:
> 
> References:
> https://bugzilla.novell.com/show_bug.cgi?id=892374 (non-public)
> https://build.opensuse.org/request/show/247613
> https://build.opensuse.org/request/show/247625
> 
> Note: with the current directory layout, ..../conf/*/mtu would be 
> enough, but Jim proposes ** to make it future-proof (see the discussion 
> on https://build.opensuse.org/request/show/247613 )
> 
> Opinions on * vs. **?

I prefer *. If it changes we can adapt.

> 
> I also propose this patch for the 2.8 branch.

Acked-by: Seth Arnold <seth.arnold at canonical.com>
for both trunk and 2.8

Thanks

> 
> 
> 
> 
> Allow dnsmasq read access to IPv6 config
> 
> The IPv6 Neighbor Discovery protocol (RFC 2461) suggests
> implementations provide MTU in Router Advertisement (RA)
> messages.  From section 4.2
> 
> MTU    SHOULD be sent on links that have a variable MTU
>        (as specified in the document that describes how to
>        run IP over the particular link type).  MAY be sent
>        on other links.
> 
> dnsmasq supports this option and should have read access
> to an interface's MTU.
> 
> 
> Index: apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
> ===================================================================
> --- apparmor-2.8.3.orig/profiles/apparmor.d/usr.sbin.dnsmasq
> +++ apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
> @@ -38,6 +38,10 @@
>  
>    /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server 
> usage
>  
> +  # access to iface mtu needed for Router Advertisement messages in 
> IPv6
> +  # Neighbor Discovery protocol (RFC 2461)
> +  @{PROC}/sys/net/ipv6/conf/**/mtu r,
> +
>    # for the read-only TFTP server
>    @{TFTP_DIR}/ r,
>    @{TFTP_DIR}/** r,
> 
> 
> 
> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> I have to trust my government, even if I don't.
> [Carlos E. R. in opensuse-factory]
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140905/9ccbff22/attachment.pgp>

More information about the AppArmor mailing list