Besides dnsmasq.leases, dnsmasq.pid needs to be written. Also read
access for some files is needed (currently dnsmasq.raw and
dnsmasq.hosts - using dnsmasq.* makes this more future-proof when
more files get added)
References: https://bugs.launchpad.net/apparmor/+bug/1634199 (again)
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/1403468
https://launchpad.net/bugs/1569316
When Ubuntu made the jump from network-manager 1.0.4 to 1.1.93, the
dnsmasq process spawned from network-manager started hitting a
disconnected path denial:
audit: type=1400 audit(1460463960.943:31702): apparmor="ALLOWED"
operation="connect" info="Failed name lookup - disconnected path"
error=-13 profile="/usr/sbin/dnsmasq"
name="run/dbus/system_bus_socket" pid=3448 comm="dnsmasq"
requested_mask="wr" denied_mask="wr" fsuid=65534 ouid=0
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
from intrigery:
dnsmasq profile: extract confinement of libvirt_leaseshelper into a dedicated sub-profile.
Acked-by: Christian Boltz <apparmor@cboltz.de>
Some packages like libvirt-bin and lxc drop conf snippets in /etc/dnsmasq.d-available
and make them available through symlinks in /etc/dnsmasq.d created during postinst.
oftc_ftw reported on IRC that Arch Linux has a symlink /bin -> /usr/bin.
This means we have to update paths for /bin/ in several profiles to also
allow /usr/bin/
Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9
This patch is based on a SLE12 patch to allow executing the
--dhcp-script. We already have most parts of that patch since r2841,
except /dev/tty rw which is needed for the shell's stdout and stderr.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)
Acked by Seth Arnold on IRC (with "owner" added)
This patch is based on a SLE12 patch to allow executing the
--dhcp-script. We already have most parts of that patch since r2841,
however the SLE bugreport indicates that /bin/sh is executed (which is
usually a symlink to /bin/bash or /bin/dash), so we should also allow
/bin/sh
References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)
Acked-by: Seth Arnold <seth.arnold@canonicalc.com> for trunk and 2.9
... and add a few mostly innocuous permissions in there, that are not
strictly needed for a seemingly functional setup, but the lack thereof
triggers denial logs, that could indicate that the software falls back
to some degraded operation mode.
argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt
leasehelper script to run even on x86_64.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=911001
Patch by "Cédric Bosdonnat" <cbosdonnat@suse.com>
Note: the original patch used {lib,lib64} - I changed it to lib{,64} to
match the style we typically use.
Acked-by: John Johansen <john.johansen@canonical.com>
> Allow dnsmasq read access to IPv6 config
The commit did not match this part of the commit message
> slightly modified (../conf/**/mtu -> ../conf/*/mtu)
which I'm fixing now.
The IPv6 Neighbor Discovery protocol (RFC 2461) suggests
implementations provide MTU in Router Advertisement (RA)
messages. From section 4.2
MTU SHOULD be sent on links that have a variable MTU
(as specified in the document that describes how to
run IP over the particular link type). MAY be sent
on other links.
dnsmasq supports this option and should have read access
to an interface's MTU.
Patch by James Fehlig <jfehlig@suse.com>
slightly modified (../conf/**/mtu -> ../conf/*/mtu)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This is an updated version of the previous dnsmasq profile patch, again
from develop7 [at] develop7.info
Acked-by: John Johansen <john.johansen@canonical.com>
dnsmasq needs read access to more files in /var/lib/libvirt/dnsmasq/
(at least *.conf and *.addnhosts)
Since this directory contains only files that are intended for dnsmasq
(also confirmed by Jim Fehlig, the SUSE libvirt maintainer), the best
way is to just allow "/var/lib/libvirt/dnsmasq/* r,"
References: https://bugzilla.novell.com/show_bug.cgi?id=848215
+1'd for trunk and 2.8 by Jamie Strandboge <jamie@canonical.com>
When dnsmasq is started with the --enable-dbus option, it uses the
system bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
which is needed by NetworkManager integration in Ubuntu. (LP: #917628)
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: dnsmasq: Profile fixes
References: bnc#666090 bnc#678749
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Updated to match master by
Christian Boltz <apparmor@cboltz.de>
Updated for systemd (/{,var/},run/ instead of /var/run/) by
Christian Boltz <apparmor@cboltz.de> as requested by Steve Beattie
With this change:
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
(final confirmation on IRC in #apparmor)
- allow net_admin capability for DHCP server
- allow net_raw and network inet raw for ICMP pings when used as a DHCP
server
- allow read and write access to libvirt pid files for dnsmasq
See the FAQ in the dnsmasq source for details. This fixes
https://launchpad.net/bugs/697239
- add profiles/local/README
- adjust profiles/apparmor.d/{bin,sbin,usr}* to include a file from local/
- adjust profiles/apparmor.d/{bin,sbin,usr}* for for copyright, some whitespace
and svn conventions
