[apparmor] [patch] dnsmasq profile update
Christian Boltz
apparmor at cboltz.de
Wed Sep 16 12:18:32 UTC 2015
Hello,
this patch is based on a SLE12 patch to allow executing the
--dhcp-script. We already have most parts of that patch since r2841,
except:
- the SLE bugreport indicates that /bin/sh is executed (which is usually
a symlink to /bin/bash or /bin/dash), so we should also allow /bin/sh
- /dev/tty rw - the SLE bug doesn't explain why it's needed, but from
looking at (link taken from the bugreport)
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/lease.c;h=8adb60588671324d9ddf00d7dab40474d40d4393;hb=HEAD#l45
I'd guess that fscanf() (line 70) should explain it.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)
I propose this patch for trunk and 2.9.
[ dnsmasq-profile-boo940749.diff ]
=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
--- profiles/apparmor.d/usr.sbin.dnsmasq 2015-07-24 18:56:27 +0000
+++ profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-16 12:03:40 +0000
@@ -29,6 +29,8 @@
signal (receive) peer=/usr/sbin/libvirtd,
ptrace (readby) peer=/usr/sbin/libvirtd,
+ /dev/tty rw,
+
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
@@ -45,7 +47,7 @@
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
- /bin/{b,d}ash ix, # Required to execute --dhcp-script argument
+ /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
# access to iface mtu needed for Router Advertisement messages in IPv6
# Neighbor Discovery protocol (RFC 2461)
Regards,
Christian Boltz
--
> Meine Fonts füllen die komplette Wand, also könnte ich auch kein
> größeres Poster brauchen. :-)
Ich verwende für die Wände immer Tapete ;-)
[> Ratti und Christian Boltz]
More information about the AppArmor
mailing list