[apparmor] [patch] dnsmasq profile update

Christian Boltz apparmor at cboltz.de
Wed Sep 16 12:18:32 UTC 2015


Hello,

this patch is based on a SLE12 patch to allow executing the
--dhcp-script. We already have most parts of that patch since r2841,
except:
- the SLE bugreport indicates that /bin/sh is executed (which is usually
  a symlink to /bin/bash or /bin/dash), so we should also allow /bin/sh
- /dev/tty rw - the SLE bug doesn't explain why it's needed, but from
  looking at  (link taken from the bugreport)
  http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/lease.c;h=8adb60588671324d9ddf00d7dab40474d40d4393;hb=HEAD#l45
  I'd guess that fscanf() (line 70) should explain it.

References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)


I propose this patch for trunk and 2.9.


[ dnsmasq-profile-boo940749.diff ]

=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
--- profiles/apparmor.d/usr.sbin.dnsmasq        2015-07-24 18:56:27 +0000
+++ profiles/apparmor.d/usr.sbin.dnsmasq        2015-09-16 12:03:40 +0000
@@ -29,6 +29,8 @@
   signal (receive) peer=/usr/sbin/libvirtd,
   ptrace (readby) peer=/usr/sbin/libvirtd,
 
+  /dev/tty rw,
+
   /etc/dnsmasq.conf r,
   /etc/dnsmasq.d/ r,
   /etc/dnsmasq.d/* r,
@@ -45,7 +47,7 @@
 
   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
 
-  /bin/{b,d}ash ix, # Required to execute --dhcp-script argument
+  /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
 
   # access to iface mtu needed for Router Advertisement messages in IPv6
   # Neighbor Discovery protocol (RFC 2461)



Regards,

Christian Boltz
-- 
> Meine Fonts füllen die komplette Wand, also könnte ich auch kein
> größeres Poster brauchen. :-)
Ich verwende für die Wände immer Tapete ;-)
[> Ratti und Christian Boltz]




More information about the AppArmor mailing list