|
|
- --- a/profiles/apparmor.d/usr.sbin.dnsmasq
- +++ b/profiles/apparmor.d/usr.sbin.dnsmasq
- @@ -1,3 +1,10 @@
- +# Last Modified: Thu Jun 10 01:23:44 2021
- +abi <abi/3.0>,
- +
- +include <tunables/global>
- +
- +@{TFTP_DIR} = /srv/tftp /srv/tftpboot /var/tftp
- +
- # ------------------------------------------------------------------
- #
- # Copyright (C) 2009 John Dong <jdong@ubuntu.com>
- @@ -9,126 +16,95 @@
- #
- # ------------------------------------------------------------------
-
- -abi <abi/3.0>,
- -
- -@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
-
- -include <tunables/global>
- profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
- include <abstractions/base>
- include <abstractions/dbus>
- include <abstractions/nameservice>
- + include <abstractions/user-tmp>
- + include if exists <local/usr.sbin.dnsmasq>
-
- capability chown,
- + capability dac_override,
- + capability net_admin, # for DHCP server
- capability net_bind_service,
- + capability net_raw, # for DHCP server ping checks
- capability setgid,
- capability setuid,
- - capability dac_override,
- - capability net_admin, # for DHCP server
- - capability net_raw, # for DHCP server ping checks
- +
- network inet raw,
- network inet6 raw,
-
- - signal (receive) peer=/usr/{bin,sbin}/libvirtd,
- - signal (receive) peer=libvirtd,
- - ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
- - ptrace (readby) peer=libvirtd,
- + signal receive peer=/usr/{bin,sbin}/libvirtd,
- + signal receive peer=libvirtd,
-
- - owner /dev/tty rw,
- + ptrace readby peer=/usr/{bin,sbin}/libvirtd,
- + ptrace readby peer=libvirtd,
-
- - @{PROC}/@{pid}/fd/ r,
- -
- - /etc/dnsmasq.conf r,
- - /etc/dnsmasq.d/ r,
- - /etc/dnsmasq.d/* r,
- - /etc/dnsmasq.d-available/ r,
- - /etc/dnsmasq.d-available/* r,
- - /etc/ethers r,
- - /etc/NetworkManager/dnsmasq.d/ r,
- - /etc/NetworkManager/dnsmasq.d/* r,
- /etc/NetworkManager/dnsmasq-shared.d/ r,
- /etc/NetworkManager/dnsmasq-shared.d/* r,
- + /etc/NetworkManager/dnsmasq.d/ r,
- + /etc/NetworkManager/dnsmasq.d/* r,
- /etc/dnsmasq-conf.conf r,
- /etc/dnsmasq-resolv.conf r,
- -
- - /usr/{bin,sbin}/dnsmasq mr,
- -
- - /var/log/dnsmasq*.log w,
- -
- + /etc/dnsmasq.conf r,
- + /etc/dnsmasq.d-available/ r,
- + /etc/dnsmasq.d-available/* r,
- + /etc/dnsmasq.d/ r,
- + /etc/dnsmasq.d/* r,
- + /etc/ethers r,
- + /tmp/** r,
- + /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
- + /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
- /usr/share/dnsmasq{-base,}/ r,
- /usr/share/dnsmasq{-base,}/* r,
- -
- - @{run}/*dnsmasq*.pid w,
- - @{run}/dnsmasq-forwarders.conf r,
- - @{run}/dnsmasq/ r,
- - @{run}/dnsmasq/* rw,
- -
- + /usr/{bin,sbin}/dnsmasq mr,
- + /var/lib/NetworkManager/dnsmasq-*.leases rw,
- + /var/lib/libvirt/dnsmasq/ r,
- + /var/lib/libvirt/dnsmasq/* r,
- + /var/lib/lxd-bridge/dnsmasq.*.leases rw,
- + /var/lib/lxd/networks/*/dnsmasq.* r,
- + /var/lib/lxd/networks/*/dnsmasq.leases rw,
- + /var/lib/lxd/networks/*/dnsmasq.pid rw,
- + /var/lib/misc/dnsmasq.*.leases rw,
- /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
- -
- + /var/log/dnsmasq*.log w,
- /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
- -
- - # access to iface mtu needed for Router Advertisement messages in IPv6
- - # Neighbor Discovery protocol (RFC 2461)
- + @{PROC}/@{pid}/fd/ r,
- @{PROC}/sys/net/ipv6/conf/*/mtu r,
- -
- - # for the read-only TFTP server
- @{TFTP_DIR}/ r,
- @{TFTP_DIR}/** r,
- -
- - # libvirt config and hosts file for dnsmasq
- - /var/lib/libvirt/dnsmasq/ r,
- - /var/lib/libvirt/dnsmasq/* r,
- -
- - # libvirt pid files for dnsmasq
- - @{run}/libvirt/network/ r,
- + @{run}/*dnsmasq*.pid w,
- + @{run}/NetworkManager/NetworkManager.pid w,
- + @{run}/NetworkManager/dnsmasq.conf r,
- + @{run}/NetworkManager/dnsmasq.pid w,
- + @{run}/dnsmasq-forwarders.conf r,
- + @{run}/dnsmasq/ r,
- + @{run}/dnsmasq/* rw,
- + @{run}/libvirt/network/ r,
- @{run}/libvirt/network/*.pid rw,
- -
- - # libvirt lease helper
- - /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
- - /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
- -
- - # lxc-net pid and lease files
- - @{run}/lxc/dnsmasq.pid rw,
- - /var/lib/misc/dnsmasq.*.leases rw,
- -
- - # lxd-bridge pid and lease files
- - @{run}/lxd-bridge/dnsmasq.pid rw,
- - /var/lib/lxd-bridge/dnsmasq.*.leases rw,
- - /var/lib/lxd/networks/*/dnsmasq.* r,
- - /var/lib/lxd/networks/*/dnsmasq.leases rw,
- - /var/lib/lxd/networks/*/dnsmasq.pid rw,
- -
- - # NetworkManager integration
- - /var/lib/NetworkManager/dnsmasq-*.leases rw,
- + @{run}/lxc/dnsmasq.pid rw,
- + @{run}/lxd-bridge/dnsmasq.pid rw,
- @{run}/nm-dns-dnsmasq.conf r,
- @{run}/nm-dnsmasq-*.pid rw,
- @{run}/sendsigs.omit.d/*dnsmasq.pid w,
- - @{run}/NetworkManager/dnsmasq.conf r,
- - @{run}/NetworkManager/dnsmasq.pid w,
- - @{run}/NetworkManager/NetworkManager.pid w,
- + owner /dev/tty rw,
- +
-
- profile libvirt_leaseshelper {
- include <abstractions/base>
-
- /etc/libnl-3/classid r,
- -
- - /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
- /usr/libexec/libvirt_leaseshelper m,
- -
- - owner @{PROC}/@{pid}/net/psched r,
- - owner @{PROC}/@{pid}/status r,
- -
- + /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
- + /var/lib/libvirt/dnsmasq/*.leases rw,
- + /var/lib/libvirt/dnsmasq/*.status* rw,
- + @{run}/leaseshelper.pid rwk,
- @{sys}/devices/system/cpu/ r,
- @{sys}/devices/system/node/ r,
- @{sys}/devices/system/node/*/meminfo r,
- + owner @{PROC}/@{pid}/net/psched r,
- + owner @{PROC}/@{pid}/status r,
-
- - # libvirt lease and status files for dnsmasq
- - /var/lib/libvirt/dnsmasq/*.leases rw,
- - /var/lib/libvirt/dnsmasq/*.status* rw,
- -
- - @{run}/leaseshelper.pid rwk,
- }
- -
- - # Site-specific additions and overrides. See local/README for details.
- - include if exists <local/usr.sbin.dnsmasq>
- }
|
