--- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -1,3 +1,10 @@ +# Last Modified: Thu Jun 10 01:23:44 2021 +abi , + +include + +@{TFTP_DIR} = /srv/tftp /srv/tftpboot /var/tftp + # ------------------------------------------------------------------ # # Copyright (C) 2009 John Dong @@ -9,126 +16,95 @@ # # ------------------------------------------------------------------ -abi , - -@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot -include profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { include include include + include + include if exists capability chown, + capability dac_override, + capability net_admin, # for DHCP server capability net_bind_service, + capability net_raw, # for DHCP server ping checks capability setgid, capability setuid, - capability dac_override, - capability net_admin, # for DHCP server - capability net_raw, # for DHCP server ping checks + network inet raw, network inet6 raw, - signal (receive) peer=/usr/{bin,sbin}/libvirtd, - signal (receive) peer=libvirtd, - ptrace (readby) peer=/usr/{bin,sbin}/libvirtd, - ptrace (readby) peer=libvirtd, + signal receive peer=/usr/{bin,sbin}/libvirtd, + signal receive peer=libvirtd, - owner /dev/tty rw, + ptrace readby peer=/usr/{bin,sbin}/libvirtd, + ptrace readby peer=libvirtd, - @{PROC}/@{pid}/fd/ r, - - /etc/dnsmasq.conf r, - /etc/dnsmasq.d/ r, - /etc/dnsmasq.d/* r, - /etc/dnsmasq.d-available/ r, - /etc/dnsmasq.d-available/* r, - /etc/ethers r, - /etc/NetworkManager/dnsmasq.d/ r, - /etc/NetworkManager/dnsmasq.d/* r, /etc/NetworkManager/dnsmasq-shared.d/ r, /etc/NetworkManager/dnsmasq-shared.d/* r, + /etc/NetworkManager/dnsmasq.d/ r, + /etc/NetworkManager/dnsmasq.d/* r, /etc/dnsmasq-conf.conf r, /etc/dnsmasq-resolv.conf r, - - /usr/{bin,sbin}/dnsmasq mr, - - /var/log/dnsmasq*.log w, - + /etc/dnsmasq.conf r, + /etc/dnsmasq.d-available/ r, + /etc/dnsmasq.d-available/* r, + /etc/dnsmasq.d/ r, + /etc/dnsmasq.d/* r, + /etc/ethers r, + /tmp/** r, + /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper, + /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper, /usr/share/dnsmasq{-base,}/ r, /usr/share/dnsmasq{-base,}/* r, - - @{run}/*dnsmasq*.pid w, - @{run}/dnsmasq-forwarders.conf r, - @{run}/dnsmasq/ r, - @{run}/dnsmasq/* rw, - + /usr/{bin,sbin}/dnsmasq mr, + /var/lib/NetworkManager/dnsmasq-*.leases rw, + /var/lib/libvirt/dnsmasq/ r, + /var/lib/libvirt/dnsmasq/* r, + /var/lib/lxd-bridge/dnsmasq.*.leases rw, + /var/lib/lxd/networks/*/dnsmasq.* r, + /var/lib/lxd/networks/*/dnsmasq.leases rw, + /var/lib/lxd/networks/*/dnsmasq.pid rw, + /var/lib/misc/dnsmasq.*.leases rw, /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage - + /var/log/dnsmasq*.log w, /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument - - # access to iface mtu needed for Router Advertisement messages in IPv6 - # Neighbor Discovery protocol (RFC 2461) + @{PROC}/@{pid}/fd/ r, @{PROC}/sys/net/ipv6/conf/*/mtu r, - - # for the read-only TFTP server @{TFTP_DIR}/ r, @{TFTP_DIR}/** r, - - # libvirt config and hosts file for dnsmasq - /var/lib/libvirt/dnsmasq/ r, - /var/lib/libvirt/dnsmasq/* r, - - # libvirt pid files for dnsmasq - @{run}/libvirt/network/ r, + @{run}/*dnsmasq*.pid w, + @{run}/NetworkManager/NetworkManager.pid w, + @{run}/NetworkManager/dnsmasq.conf r, + @{run}/NetworkManager/dnsmasq.pid w, + @{run}/dnsmasq-forwarders.conf r, + @{run}/dnsmasq/ r, + @{run}/dnsmasq/* rw, + @{run}/libvirt/network/ r, @{run}/libvirt/network/*.pid rw, - - # libvirt lease helper - /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper, - /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper, - - # lxc-net pid and lease files - @{run}/lxc/dnsmasq.pid rw, - /var/lib/misc/dnsmasq.*.leases rw, - - # lxd-bridge pid and lease files - @{run}/lxd-bridge/dnsmasq.pid rw, - /var/lib/lxd-bridge/dnsmasq.*.leases rw, - /var/lib/lxd/networks/*/dnsmasq.* r, - /var/lib/lxd/networks/*/dnsmasq.leases rw, - /var/lib/lxd/networks/*/dnsmasq.pid rw, - - # NetworkManager integration - /var/lib/NetworkManager/dnsmasq-*.leases rw, + @{run}/lxc/dnsmasq.pid rw, + @{run}/lxd-bridge/dnsmasq.pid rw, @{run}/nm-dns-dnsmasq.conf r, @{run}/nm-dnsmasq-*.pid rw, @{run}/sendsigs.omit.d/*dnsmasq.pid w, - @{run}/NetworkManager/dnsmasq.conf r, - @{run}/NetworkManager/dnsmasq.pid w, - @{run}/NetworkManager/NetworkManager.pid w, + owner /dev/tty rw, + profile libvirt_leaseshelper { include /etc/libnl-3/classid r, - - /usr/lib{,64}/libvirt/libvirt_leaseshelper m, /usr/libexec/libvirt_leaseshelper m, - - owner @{PROC}/@{pid}/net/psched r, - owner @{PROC}/@{pid}/status r, - + /usr/lib{,64}/libvirt/libvirt_leaseshelper m, + /var/lib/libvirt/dnsmasq/*.leases rw, + /var/lib/libvirt/dnsmasq/*.status* rw, + @{run}/leaseshelper.pid rwk, @{sys}/devices/system/cpu/ r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/*/meminfo r, + owner @{PROC}/@{pid}/net/psched r, + owner @{PROC}/@{pid}/status r, - # libvirt lease and status files for dnsmasq - /var/lib/libvirt/dnsmasq/*.leases rw, - /var/lib/libvirt/dnsmasq/*.status* rw, - - @{run}/leaseshelper.pid rwk, } - - # Site-specific additions and overrides. See local/README for details. - include if exists }