Accepting request 247625 from home:jfehlig:branches:security:apparmor

V2 (supersedes 247613)

This patch fixes bnc#892374, which I'd like to fix for SLE12, but
needs submitted here first.

The patch adds a (IMO) necessary rule to the dnsmasq profile,
question is whether I got the syntax right.  If so, please accept
this request and forward the patch upstream.  Thanks!

- add apparmor-profiles-dnsmasq-iface-mtu.patch to allow dnsmasq
  read access to interface mtu in
  /proc/sys/net/ipv6/conf/<ifacename>/mtu
  (bnc#892374)

OBS-URL: https://build.opensuse.org/request/show/247625
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=95
This commit is contained in:
Christian Boltz 2014-09-06 21:13:24 +00:00 committed by Git OBS Bridge
parent cfa3ffe42d
commit e1dce783c9
3 changed files with 42 additions and 0 deletions

View File

@ -0,0 +1,30 @@
Allow dnsmasq read access to IPv6 config
The IPv6 Neighbor Discovery protocol (RFC 2461) suggests
implementations provide MTU in Router Advertisement (RA)
messages. From section 4.2
MTU SHOULD be sent on links that have a variable MTU
(as specified in the document that describes how to
run IP over the particular link type). MAY be sent
on other links.
dnsmasq supports this option and should have read access
to an interface's MTU.
Index: apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
===================================================================
--- apparmor-2.8.3.orig/profiles/apparmor.d/usr.sbin.dnsmasq
+++ apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -38,6 +38,10 @@
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+ # access to iface mtu needed for Router Advertisement messages in IPv6
+ # Neighbor Discovery protocol (RFC 2461)
+ @{PROC}/sys/net/ipv6/conf/**/mtu r,
+
# for the read-only TFTP server
@{TFTP_DIR}/ r,
@{TFTP_DIR}/** r,

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Sep 4 11:39:40 MDT 2014 - jfehlig@suse.com
- add apparmor-profiles-dnsmasq-iface-mtu.patch to allow dnsmasq
read access to interface mtu in
/proc/sys/net/ipv6/conf/<ifacename>/mtu
(bnc#892374)
-------------------------------------------------------------------
Mon Aug 11 21:18:25 UTC 2014 - opensuse@cboltz.de

View File

@ -132,6 +132,9 @@ Patch26: perl-apparmor-handle-bare-capability-keyword.diff
# perl-apparmor: Properly handle bare file keyword (bnc#889652) (commited upstream trunk r2573, 2.8 )
Patch27: perl-apparmor-properly-handle-bare-file-keyword.diff
# Needs to go upstream!
Patch28: apparmor-profiles-dnsmasq-iface-mtu.patch
Url: https://launchpad.net/apparmor
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -519,6 +522,7 @@ SubDomain.
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
# profile for winbindd (bnc#748499, commited upstream trunk r2078, updated in trunk r2328)
test ! -e profiles/apparmor.d/usr.sbin.winbindd