From e1dce783c9c57b9991fa90fd352ddec0b257c7f65713a6f044b1f7e463e2c445 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sat, 6 Sep 2014 21:13:24 +0000 Subject: [PATCH] Accepting request 247625 from home:jfehlig:branches:security:apparmor V2 (supersedes 247613) This patch fixes bnc#892374, which I'd like to fix for SLE12, but needs submitted here first. The patch adds a (IMO) necessary rule to the dnsmasq profile, question is whether I got the syntax right. If so, please accept this request and forward the patch upstream. Thanks! - add apparmor-profiles-dnsmasq-iface-mtu.patch to allow dnsmasq read access to interface mtu in /proc/sys/net/ipv6/conf//mtu (bnc#892374) OBS-URL: https://build.opensuse.org/request/show/247625 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=95 --- apparmor-profiles-dnsmasq-iface-mtu.patch | 30 +++++++++++++++++++++++ apparmor.changes | 8 ++++++ apparmor.spec | 4 +++ 3 files changed, 42 insertions(+) create mode 100644 apparmor-profiles-dnsmasq-iface-mtu.patch diff --git a/apparmor-profiles-dnsmasq-iface-mtu.patch b/apparmor-profiles-dnsmasq-iface-mtu.patch new file mode 100644 index 0000000..b786781 --- /dev/null +++ b/apparmor-profiles-dnsmasq-iface-mtu.patch @@ -0,0 +1,30 @@ +Allow dnsmasq read access to IPv6 config + +The IPv6 Neighbor Discovery protocol (RFC 2461) suggests +implementations provide MTU in Router Advertisement (RA) +messages. From section 4.2 + +MTU SHOULD be sent on links that have a variable MTU + (as specified in the document that describes how to + run IP over the particular link type). MAY be sent + on other links. + +dnsmasq supports this option and should have read access +to an interface's MTU. + + +Index: apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq +=================================================================== +--- apparmor-2.8.3.orig/profiles/apparmor.d/usr.sbin.dnsmasq ++++ apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq +@@ -38,6 +38,10 @@ + + /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage + ++ # access to iface mtu needed for Router Advertisement messages in IPv6 ++ # Neighbor Discovery protocol (RFC 2461) ++ @{PROC}/sys/net/ipv6/conf/**/mtu r, ++ + # for the read-only TFTP server + @{TFTP_DIR}/ r, + @{TFTP_DIR}/** r, diff --git a/apparmor.changes b/apparmor.changes index e983292..3e79469 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Sep 4 11:39:40 MDT 2014 - jfehlig@suse.com + +- add apparmor-profiles-dnsmasq-iface-mtu.patch to allow dnsmasq + read access to interface mtu in + /proc/sys/net/ipv6/conf//mtu + (bnc#892374) + ------------------------------------------------------------------- Mon Aug 11 21:18:25 UTC 2014 - opensuse@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 6eb1b5f..b26b080 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -132,6 +132,9 @@ Patch26: perl-apparmor-handle-bare-capability-keyword.diff # perl-apparmor: Properly handle bare file keyword (bnc#889652) (commited upstream trunk r2573, 2.8 ) Patch27: perl-apparmor-properly-handle-bare-file-keyword.diff +# Needs to go upstream! +Patch28: apparmor-profiles-dnsmasq-iface-mtu.patch + Url: https://launchpad.net/apparmor PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -519,6 +522,7 @@ SubDomain. %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 # profile for winbindd (bnc#748499, commited upstream trunk r2078, updated in trunk r2328) test ! -e profiles/apparmor.d/usr.sbin.winbindd