Created
February 8, 2017 04:03
-
-
Save somidad/9bd230e1514db813f54be70269c50b87 to your computer and use it in GitHub Desktop.
apparmor for /sbin/dhclient
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # vim:syntax=apparmor | |
| # Last Modified: Fri Jul 17 11:46:19 2009 | |
| # Author: Jamie Strandboge <[email protected]> | |
| #include <tunables/global> | |
| /sbin/dhclient { | |
| #include <abstractions/base> | |
| #include <abstractions/nameservice> | |
| capability net_bind_service, | |
| capability net_raw, | |
| capability sys_module, | |
| capability dac_override, | |
| capability net_admin, | |
| network packet, | |
| network raw, | |
| @{PROC}/[0-9]*/net/ r, | |
| @{PROC}/[0-9]*/net/** r, | |
| /sbin/dhclient mr, | |
| # LP: #1197484 and LP: #1202203 - why is this needed? :( | |
| /bin/bash mr, | |
| /etc/dhclient.conf r, | |
| /etc/dhcp/ r, | |
| /etc/dhcp/** r, | |
| /var/lib/dhcp{,3}/dhclient* lrw, | |
| /{,var/}run/dhclient*.pid lrw, | |
| /{,var/}run/dhclient*.lease* lrw, | |
| # NetworkManager | |
| /{,var/}run/nm*conf r, | |
| /{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw, | |
| /var/lib/NetworkManager/dhclient*.conf lrw, | |
| /var/lib/NetworkManager/dhclient*.lease* lrw, | |
| # connman | |
| /{,var/}run/connman/dhclient*.pid lrw, | |
| /{,var/}run/connman/dhclient*.leases lrw, | |
| # synce-hal | |
| /usr/share/synce-hal/dhclient.conf r, | |
| # if there is a custom script, let it run unconfined | |
| /etc/dhcp/dhclient-script Uxr, | |
| # The dhclient-script shell script sources other shell scripts rather than | |
| # executing them, so we can't just use a separate profile for dhclient-script | |
| # with 'Uxr' on the hook scripts. However, for the long-running dhclient3 | |
| # daemon to run arbitrary code via /sbin/dhclient-script, it would need to be | |
| # able to subvert dhclient-script or write to the hooks.d directories. As | |
| # such, if the dhclient3 daemon is subverted, this effectively limits it to | |
| # only being able to run the hooks scripts. | |
| /sbin/dhclient-script Uxr, | |
| # Run the ELF executables under their own unrestricted profiles | |
| /usr/lib/NetworkManager/nm-dhcp-client.action Pxrm, | |
| /usr/lib/connman/scripts/dhclient-script Pxrm, | |
| # Site-specific additions and overrides. See local/README for details. | |
| #include <local/sbin.dhclient> | |
| } | |
| /usr/lib/NetworkManager/nm-dhcp-client.action { | |
| #include <abstractions/base> | |
| #include <abstractions/dbus> | |
| /usr/lib/NetworkManager/nm-dhcp-client.action mr, | |
| /var/lib/NetworkManager/*lease r, | |
| } | |
| /usr/lib/connman/scripts/dhclient-script { | |
| #include <abstractions/base> | |
| #include <abstractions/dbus> | |
| /usr/lib/connman/scripts/dhclient-script mr, | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment