File: //etc/apparmor.d/usr.sbin.dnsmasq
# ------------------------------------------------------------------
#
# Copyright (C) 2009 John Dong <jdong@ubuntu.com>
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
include <tunables/global>
profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(complain,attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus>
include <abstractions/nameservice>
capability chown,
capability net_bind_service,
capability setgid,
capability setuid,
capability dac_override,
capability net_admin, # for DHCP server
capability net_raw, # for DHCP server ping checks
network inet raw,
network inet6 raw,
signal (receive) peer=/usr/{bin,sbin}/libvirtd,
signal (receive) peer=libvirtd,
ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
ptrace (readby) peer=libvirtd,
owner /dev/tty rw,
@{PROC}/@{pid}/fd/ r,
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
/etc/dnsmasq.d-available/ r,
/etc/dnsmasq.d-available/* r,
/etc/ethers r,
/etc/NetworkManager/dnsmasq.d/ r,
/etc/NetworkManager/dnsmasq.d/* r,
/etc/NetworkManager/dnsmasq-shared.d/ r,
/etc/NetworkManager/dnsmasq-shared.d/* r,
/etc/dnsmasq-conf.conf r,
/etc/dnsmasq-resolv.conf r,
/usr/{bin,sbin}/dnsmasq mr,
/var/log/dnsmasq*.log w,
/usr/share/dnsmasq{-base,}/ r,
/usr/share/dnsmasq{-base,}/* r,
@{run}/*dnsmasq*.pid w,
@{run}/dnsmasq-forwarders.conf r,
@{run}/dnsmasq/ r,
@{run}/dnsmasq/* rw,
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
/{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
# access to iface mtu needed for Router Advertisement messages in IPv6
# Neighbor Discovery protocol (RFC 2461)
@{PROC}/sys/net/ipv6/conf/*/mtu r,
# for the read-only TFTP server
@{TFTP_DIR}/ r,
@{TFTP_DIR}/** r,
# libvirt config and hosts file for dnsmasq
/var/lib/libvirt/dnsmasq/ r,
/var/lib/libvirt/dnsmasq/* r,
# libvirt pid files for dnsmasq
@{run}/libvirt/network/ r,
@{run}/libvirt/network/*.pid rw,
# libvirt lease helper
/usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
/usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
# lxc-net pid and lease files
@{run}/lxc/dnsmasq.pid rw,
/var/lib/misc/dnsmasq.*.leases rw,
# lxd-bridge pid and lease files
@{run}/lxd-bridge/dnsmasq.pid rw,
/var/lib/lxd-bridge/dnsmasq.*.leases rw,
/var/lib/lxd/networks/*/dnsmasq.* r,
/var/lib/lxd/networks/*/dnsmasq.leases rw,
/var/lib/lxd/networks/*/dnsmasq.pid rw,
# NetworkManager integration
/var/lib/NetworkManager/dnsmasq-*.leases rw,
@{run}/nm-dns-dnsmasq.conf r,
@{run}/nm-dnsmasq-*.pid rw,
@{run}/sendsigs.omit.d/*dnsmasq.pid w,
@{run}/NetworkManager/dnsmasq.conf r,
@{run}/NetworkManager/dnsmasq.pid w,
@{run}/NetworkManager/NetworkManager.pid w,
# dnsname plugin in podman
@{run}/containers/cni/dnsname/*/dnsmasq.conf r,
@{run}/containers/cni/dnsname/*/addnhosts r,
@{run}/containers/cni/dnsname/*/pidfile rw,
profile libvirt_leaseshelper flags=(complain) {
include <abstractions/base>
/etc/libnl-3/classid r,
/usr/lib{,64}/libvirt/libvirt_leaseshelper m,
/usr/libexec/libvirt_leaseshelper m,
owner @{PROC}/@{pid}/net/psched r,
owner @{PROC}/@{pid}/status r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/*/meminfo r,
# libvirt lease and status files for dnsmasq
/var/lib/libvirt/dnsmasq/*.leases rw,
/var/lib/libvirt/dnsmasq/*.status* rw,
@{run}/leaseshelper.pid rwk,
}
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.dnsmasq>
}