mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
f1b4da2f64
Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com>
143 lines
4.1 KiB
Text
143 lines
4.1 KiB
Text
# ------------------------------------------------------------------
|
|
#
|
|
# Copyright (C) 2009 John Dong <jdong@ubuntu.com>
|
|
# Copyright (C) 2010 Canonical Ltd.
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
# License published by the Free Software Foundation.
|
|
#
|
|
# ------------------------------------------------------------------
|
|
|
|
abi <abi/4.0>,
|
|
|
|
@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
|
|
|
|
include <tunables/global>
|
|
profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
include <abstractions/dbus>
|
|
include <abstractions/nameservice>
|
|
|
|
capability chown,
|
|
capability net_bind_service,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability dac_override,
|
|
capability net_admin, # for DHCP server
|
|
capability net_raw, # for DHCP server ping checks
|
|
network inet raw,
|
|
network inet6 raw,
|
|
|
|
signal (receive) peer=/usr/{bin,sbin}/libvirtd,
|
|
signal (receive) peer=libvirtd,
|
|
ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
|
|
ptrace (readby) peer=libvirtd,
|
|
|
|
owner /dev/tty rw,
|
|
|
|
@{PROC}/@{pid}/fd/ r,
|
|
|
|
/etc/dnsmasq.conf r,
|
|
/etc/dnsmasq.d/ r,
|
|
/etc/dnsmasq.d/* r,
|
|
/etc/dnsmasq.d-available/ r,
|
|
/etc/dnsmasq.d-available/* r,
|
|
/etc/ethers r,
|
|
/etc/NetworkManager/dnsmasq.d/ r,
|
|
/etc/NetworkManager/dnsmasq.d/* r,
|
|
/etc/NetworkManager/dnsmasq-shared.d/ r,
|
|
/etc/NetworkManager/dnsmasq-shared.d/* r,
|
|
/etc/dnsmasq-conf.conf r,
|
|
/etc/dnsmasq-resolv.conf r,
|
|
|
|
/usr/{bin,sbin}/dnsmasq mr,
|
|
|
|
/var/log/dnsmasq*.log w,
|
|
|
|
/usr/share/dnsmasq{-base,}/ r,
|
|
/usr/share/dnsmasq{-base,}/* r,
|
|
|
|
@{run}/*dnsmasq*.pid w,
|
|
@{run}/dnsmasq-forwarders.conf r,
|
|
@{run}/dnsmasq/ r,
|
|
@{run}/dnsmasq/* rw,
|
|
|
|
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
|
|
|
|
/{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
|
|
|
|
# access to iface mtu needed for Router Advertisement messages in IPv6
|
|
# Neighbor Discovery protocol (RFC 2461)
|
|
@{PROC}/sys/net/ipv6/conf/*/mtu r,
|
|
|
|
# for the read-only TFTP server
|
|
@{TFTP_DIR}/ r,
|
|
@{TFTP_DIR}/** r,
|
|
|
|
# libvirt config and hosts file for dnsmasq
|
|
/var/lib/libvirt/dnsmasq/ r,
|
|
/var/lib/libvirt/dnsmasq/* r,
|
|
|
|
# libvirt pid files for dnsmasq
|
|
@{run}/libvirt/network/ r,
|
|
@{run}/libvirt/network/*.pid rw,
|
|
|
|
# libvirt lease helper
|
|
/usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
|
|
/usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
|
|
|
|
# lxc-net pid and lease files
|
|
@{run}/lxc/dnsmasq.pid rw,
|
|
/var/lib/misc/dnsmasq.*.leases rw,
|
|
|
|
# lxd-bridge pid and lease files
|
|
@{run}/lxd-bridge/dnsmasq.pid rw,
|
|
/var/lib/lxd-bridge/dnsmasq.*.leases rw,
|
|
/var/lib/lxd/networks/*/dnsmasq.* r,
|
|
/var/lib/lxd/networks/*/dnsmasq.leases rw,
|
|
/var/lib/lxd/networks/*/dnsmasq.pid rw,
|
|
|
|
# NetworkManager integration
|
|
/var/lib/NetworkManager/dnsmasq-*.leases rw,
|
|
@{run}/nm-dns-dnsmasq.conf r,
|
|
@{run}/nm-dnsmasq-*.pid rw,
|
|
@{run}/sendsigs.omit.d/*dnsmasq.pid w,
|
|
@{run}/NetworkManager/dnsmasq.conf r,
|
|
@{run}/NetworkManager/dnsmasq.pid w,
|
|
@{run}/NetworkManager/NetworkManager.pid w,
|
|
|
|
# dnsname plugin in podman
|
|
@{run}/containers/cni/dnsname/*/dnsmasq.conf r,
|
|
@{run}/containers/cni/dnsname/*/addnhosts r,
|
|
@{run}/containers/cni/dnsname/*/pidfile rw,
|
|
owner @{run}/user/*/containers/cni/dnsname/*/dnsmasq.conf r,
|
|
owner @{run}/user/*/containers/cni/dnsname/*/addnhosts r,
|
|
owner @{run}/user/*/containers/cni/dnsname/*/pidfile rw,
|
|
|
|
# waydroid lxc-net pid file
|
|
@{run}/waydroid-lxc/dnsmasq.pid rw,
|
|
|
|
profile libvirt_leaseshelper {
|
|
include <abstractions/base>
|
|
|
|
/etc/libnl-3/classid r,
|
|
|
|
/usr/lib{,64}/libvirt/libvirt_leaseshelper mr,
|
|
/usr/libexec/libvirt_leaseshelper mr,
|
|
|
|
owner @{PROC}/@{pid}/net/psched r,
|
|
|
|
@{sys}/devices/system/node/ r,
|
|
@{sys}/devices/system/node/*/meminfo r,
|
|
|
|
# libvirt lease and status files for dnsmasq
|
|
/var/lib/libvirt/dnsmasq/*.leases rw,
|
|
/var/lib/libvirt/dnsmasq/*.status* rw,
|
|
|
|
@{run}/leaseshelper.pid rwk,
|
|
}
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/usr.sbin.dnsmasq>
|
|
}
|