Marcus Rueckert
e0e7b0c209
Accepted submit request 59942 from user jeff_mahoney OBS-URL: https://build.opensuse.org/request/show/59942 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=7
120 lines
3.7 KiB
Plaintext
120 lines
3.7 KiB
Plaintext
From: Jeff Mahoney <jeffm@suse.com>
|
|
Subject: profiles: update dhclient
|
|
References: bnc#561152
|
|
|
|
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
---
|
|
profiles/apparmor/profiles/extras/sbin.dhclient | 60 +++++++++++------
|
|
profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
|
|
2 files changed, 60 insertions(+), 21 deletions(-)
|
|
|
|
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
|
|
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
|
|
@@ -12,12 +12,12 @@
|
|
# raw sockets, and thus cannot be confined with NetDomain
|
|
#
|
|
# Should these programs have their own domains?
|
|
-# /bin/ps mixr,
|
|
-# /sbin/arp rmix,
|
|
-# /usr/bin/dig rmix,
|
|
-# /usr/bin/uptime rmix,
|
|
-# /usr/bin/vmstat rmix,
|
|
-# /usr/bin/w rmix,
|
|
+# /bin/ps mrix,
|
|
+# /sbin/arp mrix,
|
|
+# /usr/bin/dig mrix,
|
|
+# /usr/bin/uptime mrix,
|
|
+# /usr/bin/vmstat mrix,
|
|
+# /usr/bin/w mrix,
|
|
|
|
#include <tunables/global>
|
|
|
|
@@ -25,25 +25,29 @@
|
|
#include <abstractions/base>
|
|
#include <abstractions/bash>
|
|
#include <abstractions/nameservice>
|
|
- /sbin/dhclient rmix,
|
|
- /sbin/dhclient-script rmix,
|
|
- /bin/bash rmix,
|
|
- /bin/df rmix,
|
|
+
|
|
+ network packet packet,
|
|
+
|
|
+ /sbin/dhclient mrix,
|
|
+
|
|
+ /sbin/dhclient-script mrix,
|
|
+ /bin/bash mrix,
|
|
+ /bin/df mrix,
|
|
/bin/netstat Px,
|
|
- /bin/ps mixr,
|
|
+ /bin/ps mrix,
|
|
/dev/random r,
|
|
/etc/dhclient.conf r,
|
|
- @{PROC}/ r,
|
|
- @{PROC}/interrupts r,
|
|
- @{PROC}/net/dev r,
|
|
- @{PROC}/rtc r,
|
|
+ @{PROC}/ r,
|
|
+ @{PROC}/interrupts r,
|
|
+ @{PROC}/*/net/dev r,
|
|
+ @{PROC}/rtc r,
|
|
# following rule shouldn't work, self is a symlink
|
|
- @{PROC}/self/status r,
|
|
- /sbin/arp rmix,
|
|
- /usr/bin/dig rmix,
|
|
- /usr/bin/uptime rmix,
|
|
- /usr/bin/vmstat rmix,
|
|
- /usr/bin/w rmix,
|
|
+ @{PROC}/self/status r,
|
|
+ /sbin/arp mrix,
|
|
+ /usr/bin/dig mrix,
|
|
+ /usr/bin/uptime mrix,
|
|
+ /usr/bin/vmstat mrix,
|
|
+ /usr/bin/w mrix,
|
|
/var/lib/dhcp/dhclient.leases rw,
|
|
/var/lib/dhcp/dhclient-*.leases rw,
|
|
/var/log/lastlog r,
|
|
@@ -53,4 +57,18 @@
|
|
/var/run/dhclient-*.pid rw,
|
|
/var/spool r,
|
|
/var/spool/mail r,
|
|
+
|
|
+ # This one will need to be fleshed out depending on what the user is doing
|
|
+ /sbin/dhclient-script mrpx,
|
|
+
|
|
+ /bin/grep mrix,
|
|
+ /bin/sleep mrix,
|
|
+ /etc/sysconfig/network/dhcp r,
|
|
+ /etc/sysconfig/network/scripts/functions.common r,
|
|
+ /etc/sysconfig/network/scripts/functions r,
|
|
+ /sbin/ip mrix,
|
|
+ /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
|
|
+ /var/lib/dhcp/* rw,
|
|
+ /var/run/nm-dhclient-*.conf r,
|
|
+
|
|
}
|
|
--- /dev/null
|
|
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
|
|
@@ -0,0 +1,21 @@
|
|
+# Last Modified: Tue Jan 25 16:48:30 2011
|
|
+#include <tunables/global>
|
|
+
|
|
+# dhclient-script will call plugins from /etc/netconfig.d, so this
|
|
+# will need to be extended on a per-site basis.
|
|
+
|
|
+/sbin/dhclient-script {
|
|
+ #include <abstractions/base>
|
|
+ #include <abstractions/bash>
|
|
+ #include <abstractions/consoles>
|
|
+
|
|
+ /bin/bash rix,
|
|
+ /bin/grep rix,
|
|
+ /bin/sleep rix,
|
|
+ /bin/touch rix,
|
|
+ /dev/.sysconfig/network/** r,
|
|
+ /etc/netconfig.d/* mrix,
|
|
+ /etc/sysconfig/network/** r,
|
|
+ /sbin/dhclient-script r,
|
|
+ /sbin/ip rix,
|
|
+}
|