[apparmor] [patch] Update the /sbin/dhclient profile

Christian Boltz apparmor at cboltz.de
Sun Sep 6 11:32:06 UTC 2015 

Hello,

Am Samstag, 15. August 2015 schrieb Christian Boltz:
> this patch adds some permissions that I need on my system:
> - execute nm-dhcp-helper
> - read and write /var/lib/dhcp6/dhclient.leases
> - read /var/lib/NetworkManager/dhclient-*.conf
> - read and write /var/lib/NetworkManager/dhclient-*.conf
> 
> I propose this patch for trunk and 2.9.
> 
> According to the apparmor-profiles repo, Ubuntu ships a (different?)
> profile for dhclient and Debian thinks about including it:
>     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795467
> so we should merge it and move it from extras to the default profiles
> (but that's something for another patch ;-)

Any comments or reviews?

If nobody objects, I'll commit to trunk and 2.9 as Acked-by <timeout> on 
tuesday.

> [ update-dhclient-profile.diff ]
> 
> === modified file 'profiles/apparmor/profiles/extras/sbin.dhclient'
> --- profiles/apparmor/profiles/extras/sbin.dhclient     2013-01-02
> 23:34:38 +0000 
> +++ profiles/apparmor/profiles/extras/sbin.dhclient     2015-08-15 
> 11:36:26 +0000 
>  @@ -1,6 +1,7 @@
>  # ------------------------------------------------------------------
>  #
>  #    Copyright (C) 2002-2005 Novell/SUSE
> +#    Copyright (C) 2015 Christian Boltz
>  #
>  #    This program is free software; you can redistribute it and/or
>  #    modify it under the terms of version 2 of the GNU General Public
> @@ -25,6 +26,8 @@
>    #include <abstractions/bash>
>    #include <abstractions/nameservice>
> 
> +  capability net_raw,
> +
>    network packet packet,
>    network packet raw,
> 
> @@ -47,13 +50,17 @@
>    /usr/bin/uptime             mrix,
>    /usr/bin/vmstat             mrix,
>    /usr/bin/w                  mrix,
> +  /usr/lib/nm-dhcp-helper     rix,
>    /var/lib/dhcp/dhclient.leases     rw,
>    /var/lib/dhcp/dhclient-*.leases   rw,
> +  /var/lib/dhcp6/dhclient.leases    rw,
> +  /var/lib/NetworkManager/dhclient-*.conf  r,
> +  /var/lib/NetworkManager/dhclient-*.lease rw,
>    /var/log/lastlog            r,
>    /var/log/messages           r,
>    /var/log/wtmp               r,
> -  /{,var/}run/dhclient.pid       rw,
> -  /{,var/}run/dhclient-*.pid     rw,
> +  /{,var/}run/dhclient.pid    rw,
> +  /{,var/}run/dhclient-*.pid  rw,
>    /var/spool                  r,
>    /var/spool/mail             r,


Regards,

Christian Boltz
-- 
Immerwieder der gleiche Anfaengerfehler:
/dev/null ist fuer Backup,
/dev/zero ist fuer Restore.
[J. P. Meier]

More information about the AppArmor mailing list