Server : Apache/2.4.41 (Ubuntu) System : Linux journalup 5.4.0-198-generic #218-Ubuntu SMP Fri Sep 27 20:18:53 UTC 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.33 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, Directory : /etc/apparmor.d/ |
# vim:syntax=apparmor #include <tunables/global> /{,usr/}sbin/dhclient flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/openssl> capability net_bind_service, capability net_raw, capability dac_override, capability net_admin, network packet, network raw, @{PROC}/[0-9]*/net/ r, @{PROC}/[0-9]*/net/** r, # dhclient wants to update its threads with functional names # https://gitlab.com/apparmor/apparmor/-/merge_requests/730 # see LP: #1918410 owner @{PROC}/@{pid}/task/[0-9]*/comm rw, /{,usr/}sbin/dhclient mr, # LP: #1197484 and LP: #1202203 - why is this needed? :( /{,usr/}bin/bash mr, /etc/dhclient.conf r, /etc/dhcp/ r, /etc/dhcp/** r, /var/lib/dhcp{,3}/dhclient* lrw, /{,var/}run/dhclient*.pid lrw, /{,var/}run/dhclient*.lease* lrw, # NetworkManager /{,var/}run/nm*conf r, /{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw, /{,var/}run/NetworkManager/dhclient*.pid lrw, /var/lib/NetworkManager/dhclient*.conf lrw, /var/lib/NetworkManager/dhclient*.lease* lrw, signal (receive) peer=/usr/sbin/NetworkManager, ptrace (readby) peer=/usr/sbin/NetworkManager, # connman /{,var/}run/connman/dhclient*.pid lrw, /{,var/}run/connman/dhclient*.leases lrw, # synce-hal /usr/share/synce-hal/dhclient.conf r, # if there is a custom script, let it run unconfined /etc/dhcp/dhclient-script Uxr, # The dhclient-script shell script sources other shell scripts rather than # executing them, so we can't just use a separate profile for dhclient-script # with 'Uxr' on the hook scripts. However, for the long-running dhclient3 # daemon to run arbitrary code via /sbin/dhclient-script, it would need to be # able to subvert dhclient-script or write to the hooks.d directories. As # such, if the dhclient3 daemon is subverted, this effectively limits it to # only being able to run the hooks scripts. /{,usr/}sbin/dhclient-script Uxr, # Run the ELF executables under their own unrestricted profiles /usr/lib/NetworkManager/nm-dhcp-client.action Pxrm, /usr/lib/connman/scripts/dhclient-script Pxrm, # Support the new executable helper from NetworkManager. /usr/lib/NetworkManager/nm-dhcp-helper Pxrm, signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper, # Site-specific additions and overrides. See local/README for details. #include <local/sbin.dhclient> } /usr/lib/NetworkManager/nm-dhcp-client.action { #include <abstractions/base> #include <abstractions/dbus> /usr/lib/NetworkManager/nm-dhcp-client.action mr, /var/lib/NetworkManager/*lease r, signal (receive) peer=/usr/sbin/NetworkManager, ptrace (readby) peer=/usr/sbin/NetworkManager, network inet dgram, network inet6 dgram, } /usr/lib/NetworkManager/nm-dhcp-helper { #include <abstractions/base> #include <abstractions/dbus> /usr/lib/NetworkManager/nm-dhcp-helper mr, /run/NetworkManager/private-dhcp rw, signal (send) peer=/sbin/dhclient, /var/lib/NetworkManager/*lease r, signal (receive) peer=/usr/sbin/NetworkManager, ptrace (readby) peer=/usr/sbin/NetworkManager, network inet dgram, network inet6 dgram, } /usr/lib/connman/scripts/dhclient-script { #include <abstractions/base> #include <abstractions/dbus> /usr/lib/connman/scripts/dhclient-script mr, network inet dgram, network inet6 dgram, }