diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 9300d62f..f1f94c55 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -4,11 +4,10 @@ abi , include @{exec_path} = /{usr/,}bin/dhcpcd -profile dhcpcd @{exec_path} flags=(attach_disconnected, mediate_deleted) { +profile dhcpcd @{exec_path} flags=(attach_disconnected) { include + include - @{exec_path} mr, - capability dac_override, capability dac_read_search, capability kill, @@ -25,40 +24,39 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected, mediate_deleted) { network inet6 raw, network netlink raw, network packet raw, + + @{exec_path} mr, - /{usr/,}bin/bash ix, - /{usr/,}bin/cat mrix, - /{usr/,}bin/chmod mrix, - /{usr/,}bin/cmp mrix, - /{usr/,}bin/mkdir mrix, - /{usr/,}bin/rm mrix, - /{usr/,}bin/sed mrix, - /{usr/,}lib/dhcpcd/dhcpcd-run-hooks mrix, - owner /dev/tty rw, - owner /var/lib/dhcpcd/*.lease rw, - owner /var/lib/dhcpcd/secret rw, - owner @{PROC}/*/net/if_inet6 r, - owner @{PROC}/*/stat r, - owner @{PROC}/sys/kernel/hostname r, - owner @{PROC}/sys/net/ipv{4,6}/conf/** r, - owner @{PROC}/sys/net/ipv{4,6}/conf/@{hex}/accept_ra rw, - owner @{etc_ro}/dhcpcd.conf r, - owner @{etc_ro}/ld.so.cache r, - owner @{etc_ro}/ld.so.preload r, - owner @{etc_ro}/nsswitch.conf r, - owner @{etc_ro}/passwd r, - owner @{etc_rw}/resolv.conf rw, - owner @{run}/dhcpcd/@{hex}.pid wk, - owner @{run}/dhcpcd/@{hex}.sock w, - owner @{run}/dhcpcd/hook-state/ rw, - owner @{run}/dhcpcd/hook-state/resolv.conf.*.{dhcp,link} rw, - owner @{run}/dhcpcd/hook-state/resolv.conf/ rw, - owner @{run}/dhcpcd/{.pid,pid} rwk, - owner @{run}/dhcpcd/{.sock,sock} w, - owner @{run}/dhcpcd/unpriv.sock w, - owner @{run}/udev/data/n[0-9]* r, - owner @{sys}/devices/pci[0-9]*/**/uevent r, - owner @{sys}/devices/virtual/dmi/id/product_uuid r, - owner @{sys}/devices/virtual/net/**/{tun_flags,uevent} r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/cmp rix, + /{usr/,}bin/dhcpcd mr, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}lib/dhcpcd/dhcpcd-run-hooks rix, + /dev/tty rw, + /var/lib/dhcpcd/*.lease rw, + /var/lib/dhcpcd/secret rw, + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/hostname r, + @{PROC}/sys/net/ipv{4,6}/conf/** r, + @{PROC}/sys/net/ipv{4,6}/conf/@{hex}/accept_ra rw, + @{etc_ro}/dhcpcd.conf r, + @{etc_rw}/resolv.conf rw, + @{run}/dhcpcd/@{hex}.pid wk, + @{run}/dhcpcd/@{hex}.sock w, + @{run}/dhcpcd/hook-state/ rw, + @{run}/dhcpcd/hook-state/resolv.conf.*.{dhcp,link} rw, + @{run}/dhcpcd/hook-state/resolv.conf/ rw, + @{run}/dhcpcd/{.pid,pid} rwk, + @{run}/dhcpcd/{.sock,sock} w, + @{run}/dhcpcd/unpriv.sock w, + @{run}/udev/data/n[0-9]* r, + @{sys}/devices/pci[0-9]*/**/uevent r, + @{sys}/devices/virtual/dmi/id/product_uuid r, + @{sys}/devices/virtual/net/**/{tun_flags,uevent} r, }