Update dhclient apparmor profile under overlayroot
With updated kernels, overlayroot programs will fail with a disconnected_path error. Resolve our use of dhclient by adding the allow_disconnected flag to the profile. Signed-off-by: Ryan Harper <ryan.harper@canonical.com>
This commit is contained in:
parent
9138137057
commit
acab44c1ec
|
@ -383,6 +383,7 @@ generate_img() {
|
||||||
local cachedir=${2};
|
local cachedir=${2};
|
||||||
local bootloader=${3};
|
local bootloader=${3};
|
||||||
local extlinux_conf=${TOPDIR}/resources/menu/extlinux-menu.conf
|
local extlinux_conf=${TOPDIR}/resources/menu/extlinux-menu.conf
|
||||||
|
local apparmor_path=${TOPDIR}/resources/apparmor
|
||||||
local grub_conf=${TOPDIR}/resources/grub/grub.cfg
|
local grub_conf=${TOPDIR}/resources/grub/grub.cfg
|
||||||
local gptmbr=$(dpkg -L syslinux-common | grep \/gptmbr.bin | grep -v efi)
|
local gptmbr=$(dpkg -L syslinux-common | grep \/gptmbr.bin | grep -v efi)
|
||||||
local installimg=${cachedir}/installer.img
|
local installimg=${cachedir}/installer.img
|
||||||
|
@ -475,7 +476,7 @@ generate_img() {
|
||||||
sudo cp /etc/resolv.conf ${resolvconf} &&
|
sudo cp /etc/resolv.conf ${resolvconf} &&
|
||||||
log "Installing on rootfs: $packages"
|
log "Installing on rootfs: $packages"
|
||||||
sudo chroot ${mnt} apt-get update &&
|
sudo chroot ${mnt} apt-get update &&
|
||||||
sudo chroot ${mnt} apt-get install $packages || {
|
sudo chroot ${mnt} apt-get -y install $packages || {
|
||||||
log "Failed to install packages on rootfs";
|
log "Failed to install packages on rootfs";
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
@ -498,6 +499,14 @@ generate_img() {
|
||||||
cat ${grub_conf} | sudo tee ${mnt}/boot/grub/grub.cfg
|
cat ${grub_conf} | sudo tee ${mnt}/boot/grub/grub.cfg
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# update apparmor policy for dhclient
|
||||||
|
log "Updating apparmor policies"
|
||||||
|
sudo rsync -avP ${apparmor_path}/apparmor.d/ ${mnt}/etc/apparmor.d/ || {
|
||||||
|
log "Failed to sync local apparmor updates";
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
log "Installing cloud seed"
|
||||||
sudo mkdir -p ${mnt}/var/lib/cloud/seed &&
|
sudo mkdir -p ${mnt}/var/lib/cloud/seed &&
|
||||||
sudo cp -a ${seed} ${mnt}/var/lib/cloud/seed && sync || {
|
sudo cp -a ${seed} ${mnt}/var/lib/cloud/seed && sync || {
|
||||||
log "Failed to install bootloader and configuration";
|
log "Failed to install bootloader and configuration";
|
||||||
|
|
|
@ -0,0 +1,84 @@
|
||||||
|
# vim:syntax=apparmor
|
||||||
|
# Last Modified: Fri Jul 17 11:46:19 2009
|
||||||
|
# Author: Jamie Strandboge <jamie@canonical.com>
|
||||||
|
#include <tunables/global>
|
||||||
|
|
||||||
|
/sbin/dhclient flags=(attach_disconnected) {
|
||||||
|
#include <abstractions/base>
|
||||||
|
#include <abstractions/nameservice>
|
||||||
|
|
||||||
|
capability net_bind_service,
|
||||||
|
capability net_raw,
|
||||||
|
capability sys_module,
|
||||||
|
capability dac_override,
|
||||||
|
capability net_admin,
|
||||||
|
|
||||||
|
network packet,
|
||||||
|
network raw,
|
||||||
|
|
||||||
|
@{PROC}/[0-9]*/net/ r,
|
||||||
|
@{PROC}/[0-9]*/net/** r,
|
||||||
|
|
||||||
|
/sbin/dhclient mr,
|
||||||
|
# LP: #1197484 and LP: #1202203 - why is this needed? :(
|
||||||
|
/bin/bash mr,
|
||||||
|
|
||||||
|
/etc/dhclient.conf r,
|
||||||
|
/etc/dhcp/ r,
|
||||||
|
/etc/dhcp/** r,
|
||||||
|
|
||||||
|
/var/lib/dhcp{,3}/dhclient* lrw,
|
||||||
|
/{,var/}run/dhclient*.pid lrw,
|
||||||
|
/{,var/}run/dhclient*.lease* lrw,
|
||||||
|
|
||||||
|
# NetworkManager
|
||||||
|
/{,var/}run/nm*conf r,
|
||||||
|
/{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw,
|
||||||
|
/var/lib/NetworkManager/dhclient*.conf lrw,
|
||||||
|
/var/lib/NetworkManager/dhclient*.lease* lrw,
|
||||||
|
|
||||||
|
# connman
|
||||||
|
/{,var/}run/connman/dhclient*.pid lrw,
|
||||||
|
/{,var/}run/connman/dhclient*.leases lrw,
|
||||||
|
|
||||||
|
# synce-hal
|
||||||
|
/usr/share/synce-hal/dhclient.conf r,
|
||||||
|
|
||||||
|
# if there is a custom script, let it run unconfined
|
||||||
|
/etc/dhcp/dhclient-script Uxr,
|
||||||
|
|
||||||
|
# The dhclient-script shell script sources other shell scripts rather than
|
||||||
|
# executing them, so we can't just use a separate profile for dhclient-script
|
||||||
|
# with 'Uxr' on the hook scripts. However, for the long-running dhclient3
|
||||||
|
# daemon to run arbitrary code via /sbin/dhclient-script, it would need to be
|
||||||
|
# able to subvert dhclient-script or write to the hooks.d directories. As
|
||||||
|
# such, if the dhclient3 daemon is subverted, this effectively limits it to
|
||||||
|
# only being able to run the hooks scripts.
|
||||||
|
/sbin/dhclient-script Uxr,
|
||||||
|
|
||||||
|
# Run the ELF executables under their own unrestricted profiles
|
||||||
|
/usr/lib/NetworkManager/nm-dhcp-client.action Pxrm,
|
||||||
|
/usr/lib/connman/scripts/dhclient-script Pxrm,
|
||||||
|
|
||||||
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
|
#include <local/sbin.dhclient>
|
||||||
|
}
|
||||||
|
|
||||||
|
/usr/lib/NetworkManager/nm-dhcp-client.action {
|
||||||
|
#include <abstractions/base>
|
||||||
|
#include <abstractions/dbus>
|
||||||
|
/usr/lib/NetworkManager/nm-dhcp-client.action mr,
|
||||||
|
|
||||||
|
/var/lib/NetworkManager/*lease r,
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
}
|
||||||
|
|
||||||
|
/usr/lib/connman/scripts/dhclient-script {
|
||||||
|
#include <abstractions/base>
|
||||||
|
#include <abstractions/dbus>
|
||||||
|
/usr/lib/connman/scripts/dhclient-script mr,
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue