[apparmor] [patch] dnsmasq profile update
Seth Arnold
seth.arnold at canonical.com
Wed Sep 16 19:16:40 UTC 2015
On Wed, Sep 16, 2015 at 02:18:32PM +0200, Christian Boltz wrote:
> Hello,
>
> this patch is based on a SLE12 patch to allow executing the
> --dhcp-script. We already have most parts of that patch since r2841,
> except:
> - the SLE bugreport indicates that /bin/sh is executed (which is usually
> a symlink to /bin/bash or /bin/dash), so we should also allow /bin/sh
> - /dev/tty rw - the SLE bug doesn't explain why it's needed, but from
> looking at (link taken from the bugreport)
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/lease.c;h=8adb60588671324d9ddf00d7dab40474d40d4393;hb=HEAD#l45
> I'd guess that fscanf() (line 70) should explain it.
>
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)
I don't like the /dev/tty; that deserves more investigation. The fscanf()
on 70 is reading a file specified in a configuration option, so that's not
likely to be it.
In my /etc/apparmor.d/, the rsyslogd and squid3 profiles allow /dev/tty.
The cups and telepathy profiles deny /dev/tty to silence alerts.
The /bin/sh change is fine though, that bit can go into trunk and 2.9.
Acked-by: Seth Arnold <seth.arnold at canonicalc.com>
Thanks
>
> I propose this patch for trunk and 2.9.
>
>
> [ dnsmasq-profile-boo940749.diff ]
>
> === modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
> --- profiles/apparmor.d/usr.sbin.dnsmasq 2015-07-24 18:56:27 +0000
> +++ profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-16 12:03:40 +0000
> @@ -29,6 +29,8 @@
> signal (receive) peer=/usr/sbin/libvirtd,
> ptrace (readby) peer=/usr/sbin/libvirtd,
>
> + /dev/tty rw,
> +
> /etc/dnsmasq.conf r,
> /etc/dnsmasq.d/ r,
> /etc/dnsmasq.d/* r,
> @@ -45,7 +47,7 @@
>
> /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
>
> - /bin/{b,d}ash ix, # Required to execute --dhcp-script argument
> + /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
>
> # access to iface mtu needed for Router Advertisement messages in IPv6
> # Neighbor Discovery protocol (RFC 2461)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150916/bb2a9673/attachment.pgp>
More information about the AppArmor
mailing list