# vim:syntax=apparmor
#include <tunables/global>
/{,usr/}sbin/dhclient flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
capability net_bind_service,
capability net_raw,
capability dac_override,
capability net_admin,
network packet,
network raw,
@{PROC}/[0-9]*/net/ r,
@{PROC}/[0-9]*/net/** r,
# dhclient wants to update its threads with functional names
# https://gitlab.com/apparmor/apparmor/-/merge_requests/730
# see LP: #1918410
owner @{PROC}/@{pid}/task/[0-9]*/comm rw,
# LP: #1926139
@{PROC}/cmdline r,
/{,usr/}sbin/dhclient mr,
# LP: #1197484 and LP: #1202203 - why is this needed? :(
/{,usr/}bin/bash mr,
/etc/dhclient.conf r,
/etc/dhcp/ r,
/etc/dhcp/** r,
/var/lib/dhcp{,3}/dhclient* lrw,
/{,var/}run/dhclient*.pid lrw,
/{,var/}run/dhclient*.lease* lrw,
# NetworkManager
/{,var/}run/nm*conf r,
/{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw,
/{,var/}run/NetworkManager/dhclient*.pid lrw,
/var/lib/NetworkManager/dhclient*.conf lrw,
/var/lib/NetworkManager/dhclient*.lease* lrw,
signal (receive) peer=/usr/sbin/NetworkManager,
ptrace (readby) peer=/usr/sbin/NetworkManager,
# connman
/{,var/}run/connman/dhclient*.pid lrw,
/{,var/}run/connman/dhclient*.leases lrw,
# synce-hal
/usr/share/synce-hal/dhclient.conf r,
# if there is a custom script, let it run unconfined
/etc/dhcp/dhclient-script Uxr,
# The dhclient-script shell script sources other shell scripts rather than
# executing them, so we can't just use a separate profile for dhclient-script
# with 'Uxr' on the hook scripts. However, for the long-running dhclient3
# daemon to run arbitrary code via /sbin/dhclient-script, it would need to be
# able to subvert dhclient-script or write to the hooks.d directories. As
# such, if the dhclient3 daemon is subverted, this effectively limits it to
# only being able to run the hooks scripts.
/{,usr/}sbin/dhclient-script Uxr,
# Run the ELF executables under their own unrestricted profiles
/usr/lib/NetworkManager/nm-dhcp-client.action Pxrm,
/usr/lib/connman/scripts/dhclient-script Pxrm,
# Support the new executable helper from NetworkManager.
/usr/lib/NetworkManager/nm-dhcp-helper Pxrm,
signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
# Site-specific additions and overrides. See local/README for details.
#include <local/sbin.dhclient>
}
/usr/lib/NetworkManager/nm-dhcp-client.action {
#include <abstractions/base>
#include <abstractions/dbus>
/usr/lib/NetworkManager/nm-dhcp-client.action mr,
/var/lib/NetworkManager/*lease r,
signal (receive) peer=/usr/sbin/NetworkManager,
ptrace (readby) peer=/usr/sbin/NetworkManager,
network inet dgram,
network inet6 dgram,
}
/usr/lib/NetworkManager/nm-dhcp-helper {
#include <abstractions/base>
#include <abstractions/dbus>
/usr/lib/NetworkManager/nm-dhcp-helper mr,
/run/NetworkManager/private-dhcp rw,
signal (send) peer=/sbin/dhclient,
/var/lib/NetworkManager/*lease r,
signal (receive) peer=/usr/sbin/NetworkManager,
ptrace (readby) peer=/usr/sbin/NetworkManager,
network inet dgram,
network inet6 dgram,
}
/usr/lib/connman/scripts/dhclient-script {
#include <abstractions/base>
#include <abstractions/dbus>
/usr/lib/connman/scripts/dhclient-script mr,
network inet dgram,
network inet6 dgram,
}
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| abi | Folder | 0755 |
|
|
| abstractions | Folder | 0755 |
|
|
| disable | Folder | 0755 |
|
|
| force-complain | Folder | 0755 |
|
|
| local | Folder | 0755 |
|
|
| tunables | Folder | 0755 |
|
|
| lsb_release | File | 1.28 KB | 0644 |
|
| nvidia_modprobe | File | 1.08 KB | 0644 |
|
| sbin.dhclient | File | 3.42 KB | 0644 |
|
| usr.bin.evince | File | 10.82 KB | 0644 |
|
| usr.bin.firefox | File | 9.95 KB | 0644 |
|
| usr.bin.man | File | 3.13 KB | 0644 |
|
| usr.lib.libreoffice.program.oosplash | File | 1.48 KB | 0644 |
|
| usr.lib.libreoffice.program.senddoc | File | 1.2 KB | 0644 |
|
| usr.lib.libreoffice.program.soffice.bin | File | 10.4 KB | 0644 |
|
| usr.lib.libreoffice.program.xpdfimport | File | 1.02 KB | 0644 |
|
| usr.lib.snapd.snap-confine.real | File | 28.76 KB | 0644 |
|
| usr.sbin.cups-browsed | File | 540 B | 0644 |
|
| usr.sbin.cupsd | File | 5.66 KB | 0644 |
|
| usr.sbin.ippusbxd | File | 672 B | 0644 |
|
| usr.sbin.mysqld | File | 1.96 KB | 0644 |
|
| usr.sbin.rsyslogd | File | 1.54 KB | 0644 |
|
| usr.sbin.tcpdump | File | 1.45 KB | 0644 |
|