dnsmasq-better-confine-libvirt-leaseshelper into lp:apparmor

intrigeri Wed, 12 Aug 2015 07:31:15 -0700

intrigeri has proposed merging 
lp:~intrigeri/apparmor/dnsmasq-better-confine-libvirt-leaseshelper into 
lp:apparmor.


Requested reviews:
  AppArmor Developers (apparmor-dev)

For more details, see:
https://code.launchpad.net/~intrigeri/apparmor/dnsmasq-better-confine-libvirt-leaseshelper/+merge/267822
-- 
Your team AppArmor Developers is requested to review the proposed merge of 
lp:~intrigeri/apparmor/dnsmasq-better-confine-libvirt-leaseshelper into 
lp:apparmor.

=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
--- profiles/apparmor.d/usr.sbin.dnsmasq	2015-07-24 18:56:27 +0000
+++ profiles/apparmor.d/usr.sbin.dnsmasq	2015-08-12 14:29:26 +0000
@@ -55,19 +55,16 @@
   @{TFTP_DIR}/ r,
   @{TFTP_DIR}/** r,
 
-  # libvirt config, lease and hosts files for dnsmasq
+  # libvirt config and hosts file for dnsmasq
   /var/lib/libvirt/dnsmasq/          r,
   /var/lib/libvirt/dnsmasq/*         r,
-  /var/lib/libvirt/dnsmasq/*.leases  rw,
-  /var/lib/libvirt/dnsmasq/*.status* rw,
 
   # libvirt pid files for dnsmasq
   /{,var/}run/libvirt/network/      r,
   /{,var/}run/libvirt/network/*.pid rw,
 
   # libvirt lease helper
-  /usr/lib{,64}/libvirt/libvirt_leaseshelper ix,
-  /{,var/}run/leaseshelper.pid rwk,
+  /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
 
   # lxc-net pid and lease files
   /{,var/}run/lxc/dnsmasq.pid    rw,
@@ -79,6 +76,25 @@
   /{,var/}run/NetworkManager/dnsmasq.conf r,
   /{,var/}run/NetworkManager/dnsmasq.pid w,
 
+  profile libvirt_leaseshelper {
+    #include <abstractions/base>
+
+    /etc/libnl-3/classid r,
+
+    owner @{PROC}/@{pid}/net/psched r,
+    owner @{PROC}/@{pid}/status r,
+
+    /sys/devices/system/cpu/ r,
+    /sys/devices/system/node/ r,
+    /sys/devices/system/node/*/meminfo r,
+
+    # libvirt lease and status files for dnsmasq
+    /var/lib/libvirt/dnsmasq/*.leases  rw,
+    /var/lib/libvirt/dnsmasq/*.status* rw,
+
+    /{,var/}run/leaseshelper.pid rwk,
+  }
+
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.dnsmasq>
 }

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [Merge] lp:~intrigeri/apparmor/dnsmasq-better-confine-libvirt-leaseshelper into lp:apparmor

Reply via email to