Accepting request 247625 from home:jfehlig:branches:security:apparmor
V2 (supersedes 247613) This patch fixes bnc#892374, which I'd like to fix for SLE12, but needs submitted here first. The patch adds a (IMO) necessary rule to the dnsmasq profile, question is whether I got the syntax right. If so, please accept this request and forward the patch upstream. Thanks! - add apparmor-profiles-dnsmasq-iface-mtu.patch to allow dnsmasq read access to interface mtu in /proc/sys/net/ipv6/conf/<ifacename>/mtu (bnc#892374) OBS-URL: https://build.opensuse.org/request/show/247625 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=95
This commit is contained in:
parent
cfa3ffe42d
commit
e1dce783c9
30
apparmor-profiles-dnsmasq-iface-mtu.patch
Normal file
30
apparmor-profiles-dnsmasq-iface-mtu.patch
Normal file
@ -0,0 +1,30 @@
|
||||
Allow dnsmasq read access to IPv6 config
|
||||
|
||||
The IPv6 Neighbor Discovery protocol (RFC 2461) suggests
|
||||
implementations provide MTU in Router Advertisement (RA)
|
||||
messages. From section 4.2
|
||||
|
||||
MTU SHOULD be sent on links that have a variable MTU
|
||||
(as specified in the document that describes how to
|
||||
run IP over the particular link type). MAY be sent
|
||||
on other links.
|
||||
|
||||
dnsmasq supports this option and should have read access
|
||||
to an interface's MTU.
|
||||
|
||||
|
||||
Index: apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
|
||||
===================================================================
|
||||
--- apparmor-2.8.3.orig/profiles/apparmor.d/usr.sbin.dnsmasq
|
||||
+++ apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
|
||||
@@ -38,6 +38,10 @@
|
||||
|
||||
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
|
||||
|
||||
+ # access to iface mtu needed for Router Advertisement messages in IPv6
|
||||
+ # Neighbor Discovery protocol (RFC 2461)
|
||||
+ @{PROC}/sys/net/ipv6/conf/**/mtu r,
|
||||
+
|
||||
# for the read-only TFTP server
|
||||
@{TFTP_DIR}/ r,
|
||||
@{TFTP_DIR}/** r,
|
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 4 11:39:40 MDT 2014 - jfehlig@suse.com
|
||||
|
||||
- add apparmor-profiles-dnsmasq-iface-mtu.patch to allow dnsmasq
|
||||
read access to interface mtu in
|
||||
/proc/sys/net/ipv6/conf/<ifacename>/mtu
|
||||
(bnc#892374)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 11 21:18:25 UTC 2014 - opensuse@cboltz.de
|
||||
|
||||
|
@ -132,6 +132,9 @@ Patch26: perl-apparmor-handle-bare-capability-keyword.diff
|
||||
# perl-apparmor: Properly handle bare file keyword (bnc#889652) (commited upstream trunk r2573, 2.8 )
|
||||
Patch27: perl-apparmor-properly-handle-bare-file-keyword.diff
|
||||
|
||||
# Needs to go upstream!
|
||||
Patch28: apparmor-profiles-dnsmasq-iface-mtu.patch
|
||||
|
||||
Url: https://launchpad.net/apparmor
|
||||
PreReq: sed
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -519,6 +522,7 @@ SubDomain.
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28 -p1
|
||||
|
||||
# profile for winbindd (bnc#748499, commited upstream trunk r2078, updated in trunk r2328)
|
||||
test ! -e profiles/apparmor.d/usr.sbin.winbindd
|
||||
|
Loading…
Reference in New Issue
Block a user