[apparmor] [patch] Update the /sbin/dhclient profile

Christian Boltz apparmor at cboltz.de
Sat Aug 15 11:49:29 UTC 2015 

Hello,

this patch adds some permissions that I need on my system:
- execute nm-dhcp-helper
- read and write /var/lib/dhcp6/dhclient.leases
- read /var/lib/NetworkManager/dhclient-*.conf
- read and write /var/lib/NetworkManager/dhclient-*.conf

I propose this patch for trunk and 2.9.

According to the apparmor-profiles repo, Ubuntu ships a (different?) 
profile for dhclient and Debian thinks about including it:
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795467
so we should merge it and move it from extras to the default profiles
(but that's something for another patch ;-)


[ update-dhclient-profile.diff ]

=== modified file 'profiles/apparmor/profiles/extras/sbin.dhclient'
--- profiles/apparmor/profiles/extras/sbin.dhclient     2013-01-02 23:34:38 +0000
+++ profiles/apparmor/profiles/extras/sbin.dhclient     2015-08-15 11:36:26 +0000
@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2015 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -25,6 +26,8 @@
   #include <abstractions/bash>
   #include <abstractions/nameservice>
 
+  capability net_raw,
+
   network packet packet,
   network packet raw,
 
@@ -47,13 +50,17 @@
   /usr/bin/uptime             mrix,
   /usr/bin/vmstat             mrix,
   /usr/bin/w                  mrix,
+  /usr/lib/nm-dhcp-helper     rix,
   /var/lib/dhcp/dhclient.leases     rw,
   /var/lib/dhcp/dhclient-*.leases   rw,
+  /var/lib/dhcp6/dhclient.leases    rw,
+  /var/lib/NetworkManager/dhclient-*.conf  r,
+  /var/lib/NetworkManager/dhclient-*.lease rw,
   /var/log/lastlog            r,
   /var/log/messages           r,
   /var/log/wtmp               r,
-  /{,var/}run/dhclient.pid       rw,
-  /{,var/}run/dhclient-*.pid     rw,
+  /{,var/}run/dhclient.pid    rw,
+  /{,var/}run/dhclient-*.pid  rw,
   /var/spool                  r,
   /var/spool/mail             r,
 


Regards,

Christian Boltz
-- 
legacy code:
    code you didn't write (this morning)
[https://twitter.com/pcreux/status/481154970364825600]

More information about the AppArmor mailing list