[apparmor] [patch] dnsmasq profile update

Seth Arnold seth.arnold at canonical.com
Wed Sep 16 19:16:40 UTC 2015


On Wed, Sep 16, 2015 at 02:18:32PM +0200, Christian Boltz wrote:
> Hello,
> 
> this patch is based on a SLE12 patch to allow executing the
> --dhcp-script. We already have most parts of that patch since r2841,
> except:
> - the SLE bugreport indicates that /bin/sh is executed (which is usually
>   a symlink to /bin/bash or /bin/dash), so we should also allow /bin/sh
> - /dev/tty rw - the SLE bug doesn't explain why it's needed, but from
>   looking at  (link taken from the bugreport)
>   http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/lease.c;h=8adb60588671324d9ddf00d7dab40474d40d4393;hb=HEAD#l45
>   I'd guess that fscanf() (line 70) should explain it.
> 
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)

I don't like the /dev/tty; that deserves more investigation. The fscanf()
on 70 is reading a file specified in a configuration option, so that's not
likely to be it.

In my /etc/apparmor.d/, the rsyslogd and squid3 profiles allow /dev/tty.
The cups and telepathy profiles deny /dev/tty to silence alerts.

The /bin/sh change is fine though, that bit can go into trunk and 2.9.

Acked-by: Seth Arnold <seth.arnold at canonicalc.com>

Thanks

> 
> I propose this patch for trunk and 2.9.
> 
> 
> [ dnsmasq-profile-boo940749.diff ]
> 
> === modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
> --- profiles/apparmor.d/usr.sbin.dnsmasq        2015-07-24 18:56:27 +0000
> +++ profiles/apparmor.d/usr.sbin.dnsmasq        2015-09-16 12:03:40 +0000
> @@ -29,6 +29,8 @@
>    signal (receive) peer=/usr/sbin/libvirtd,
>    ptrace (readby) peer=/usr/sbin/libvirtd,
>  
> +  /dev/tty rw,
> +
>    /etc/dnsmasq.conf r,
>    /etc/dnsmasq.d/ r,
>    /etc/dnsmasq.d/* r,
> @@ -45,7 +47,7 @@
>  
>    /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
>  
> -  /bin/{b,d}ash ix, # Required to execute --dhcp-script argument
> +  /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
>  
>    # access to iface mtu needed for Router Advertisement messages in IPv6
>    # Neighbor Discovery protocol (RFC 2461)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150916/bb2a9673/attachment.pgp>


More information about the AppArmor mailing list