On Wed, Sep 16, 2015 at 02:18:32PM +0200, Christian Boltz wrote: > Hello, > > this patch is based on a SLE12 patch to allow executing the > --dhcp-script. We already have most parts of that patch since r2841, > except: > - the SLE bugreport indicates that /bin/sh is executed (which is usually > a symlink to /bin/bash or /bin/dash), so we should also allow /bin/sh > - /dev/tty rw - the SLE bug doesn't explain why it's needed, but from > looking at (link taken from the bugreport) > > http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/lease.c;h=8adb60588671324d9ddf00d7dab40474d40d4393;hb=HEAD#l45 > I'd guess that fscanf() (line 70) should explain it. > > References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)
I don't like the /dev/tty; that deserves more investigation. The fscanf() on 70 is reading a file specified in a configuration option, so that's not likely to be it. In my /etc/apparmor.d/, the rsyslogd and squid3 profiles allow /dev/tty. The cups and telepathy profiles deny /dev/tty to silence alerts. The /bin/sh change is fine though, that bit can go into trunk and 2.9. Acked-by: Seth Arnold <[email protected]> Thanks > > I propose this patch for trunk and 2.9. > > > [ dnsmasq-profile-boo940749.diff ] > > === modified file 'profiles/apparmor.d/usr.sbin.dnsmasq' > --- profiles/apparmor.d/usr.sbin.dnsmasq 2015-07-24 18:56:27 +0000 > +++ profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-16 12:03:40 +0000 > @@ -29,6 +29,8 @@ > signal (receive) peer=/usr/sbin/libvirtd, > ptrace (readby) peer=/usr/sbin/libvirtd, > > + /dev/tty rw, > + > /etc/dnsmasq.conf r, > /etc/dnsmasq.d/ r, > /etc/dnsmasq.d/* r, > @@ -45,7 +47,7 @@ > > /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage > > - /bin/{b,d}ash ix, # Required to execute --dhcp-script argument > + /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument > > # access to iface mtu needed for Router Advertisement messages in IPv6 > # Neighbor Discovery protocol (RFC 2461)
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
