home *** CD-ROM | disk | FTP | other *** search
- # vim:syntax=apparmor
- # Last Modified: Thu Feb 24 08:46:21 2009
- # Author: Jamie Strandboge <jamie@canonical.com>
- #include <tunables/global>
-
- /sbin/dhclient3 {
- #include <abstractions/base>
- #include <abstractions/nameservice>
-
- capability net_bind_service,
- capability net_raw,
- capability sys_module,
- capability dac_override,
-
- network packet,
- network raw,
-
- @{PROC}/*/net/ r,
- @{PROC}/*/net/** r,
-
- /sbin/dhclient3 mr,
-
- /etc/dhclient.conf r,
- /etc/dhcp3/ r,
- /etc/dhcp3/** r,
-
- /var/lib/dhcp3/dhclient* lrw,
- /var/run/dhclient*.pid lrw,
-
- # NetworkManager
- /var/run/nm*conf r,
-
- # connman
- /var/run/connman/dhclient*.pid lrw,
- /var/run/connman/dhclient*.leases lrw,
-
- # if there is a custom script, let it run unconfined
- /etc/dhcp3/dhclient-script Uxr,
-
- # run under its own profile, and clean the environment
- /sbin/dhclient-script Pxr,
- /usr/lib/NetworkManager/nm-dhcp-client.action Pxr,
- /usr/lib/connman/scripts/dhclient-script Pxr,
- }
-
- /sbin/dhclient-script {
- # dhclient-script sources other shell scripts rather than executing them, so
- # we can't just use 'Uxr' on the hook scripts. However, for the long-running
- # dhclient3 daemon to run arbitrary code via the unconfined shells below, it
- # would need to be able to subvert dhclient-script or write to the hooks.d
- # directories. As such, if the dhclient3 daemon is subverted, this
- # effectively limits it to only being able to run the hooks scripts.
- /bin/bash Uxr,
- /bin/dash Uxr,
-
- /sbin/dhclient-script mr,
- }
-
- /usr/lib/NetworkManager/nm-dhcp-client.action {
- #include <abstractions/base>
- #include <abstractions/dbus>
- /usr/lib/NetworkManager/nm-dhcp-client.action mr,
- }
-
- /usr/lib/connman/scripts/dhclient-script {
- #include <abstractions/base>
- #include <abstractions/dbus>
- /usr/lib/connman/scripts/dhclient-script mr,
- }
-
-
