AppArmor Profiles

Merge lp:~elmo/apparmor-profiles/lldpd into lp:apparmor-profiles

  1. lldpd
  2. Merge into master
Proposed by James Troup
Status: Merged
Merged at revision: 140
Proposed branch: lp:~elmo/apparmor-profiles/lldpd
Merge into: lp:apparmor-profiles
Diff against target: 169 lines (+150/-0)
4 files modified
ubuntu/10.04/usr.sbin.lldpd (+33/-0)
ubuntu/12.04/usr.sbin.lldpd (+39/-0)
ubuntu/13.10/usr.sbin.lldpd (+39/-0)
ubuntu/14.04/usr.sbin.lldpd (+39/-0)
To merge this branch: bzr merge lp:~elmo/apparmor-profiles/lldpd
Reviewer Review Type Date Requested Status
AppArmor Developers Pending
Review via email: mp+202092@code.launchpad.net

Description of the change

Profile for lldpd. We're using this on 10.04 and 12.04 (in production) and 13.10. I've blind copied it to 14.04 as that seems to be standard practice.

To post a comment you must log in.
Revision history for this message
Christian Boltz (cboltz) wrote :

Hello,

Am Freitag, 17. Januar 2014 schrieb James Troup:
> James Troup has proposed merging lp:~elmo/apparmor-profiles/lldpd into
> lp:apparmor-profiles.

> For more details, see:
> https://code.launchpad.net/~elmo/apparmor-profiles/lldpd/+merge/202092

> === added file 'ubuntu/10.04/usr.sbin.lldpd'
> --- ubuntu/10.04/usr.sbin.lldpd 1970-01-01 00:00:00 +0000
> +++ ubuntu/10.04/usr.sbin.lldpd 2014-01-17 13:13:03 +0000
> @@ -0,0 +1,33 @@
> +# Author: James Troup <email address hidden>
> +
> +#include <tunables/global>
> +
> +/usr/sbin/lldpd {
> + #include <abstractions/base>
> + #include <abstractions/nameservice>
> +
> + capability chown,
> + capability dac_override,
> + capability fowner,
> + capability fsetid,
> + capability kill,
> + capability net_admin,
> + capability net_raw,
> + capability setgid,
> + capability setuid,
> + capability sys_chroot,
> + capability sys_module,
> +
> + network packet raw,
> +
> + /usr/sbin/lldpcli rix,
> + /usr/sbin/lldpd mr,
> +
> + /var/run/lldpd.pid rw,
> + /var/run/lldpd.socket w,
> + /usr/bin/lsb_release rUx,

Given the impressive set of capabilities, I'd prefer to avoid Ux. What
about creating a profile (or child profile) for lsb_release?

(seems to be different in the profiles for newer releases - I'm not sure
if it's still worth fixing for 10.04)

Regards,

Christian Boltz
--
> /etc/sysconfig/powersave/cpufreq contains the line:
> # the next lover CPU frequency. Increasing this value lowers the
              ^^^^^
we should keep that one ;)
[Michael Gross in https://bugzilla.novell.com/show_bug.cgi?id=183704]

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'ubuntu/10.04/usr.sbin.lldpd'
2--- ubuntu/10.04/usr.sbin.lldpd 1970-01-01 00:00:00 +0000
3+++ ubuntu/10.04/usr.sbin.lldpd 2014-01-17 13:13:03 +0000
4@@ -0,0 +1,33 @@
5+# Author: James Troup <james.troup@canonical.com>
6+
7+#include <tunables/global>
8+
9+/usr/sbin/lldpd {
10+ #include <abstractions/base>
11+ #include <abstractions/nameservice>
12+
13+ capability chown,
14+ capability dac_override,
15+ capability fowner,
16+ capability fsetid,
17+ capability kill,
18+ capability net_admin,
19+ capability net_raw,
20+ capability setgid,
21+ capability setuid,
22+ capability sys_chroot,
23+ capability sys_module,
24+
25+ network packet raw,
26+
27+ /usr/sbin/lldpcli rix,
28+ /usr/sbin/lldpd mr,
29+
30+ /var/run/lldpd.pid rw,
31+ /var/run/lldpd.socket w,
32+ /usr/bin/lsb_release rUx,
33+
34+ /proc/sys/net/ipv4/ip_forward r,
35+ /sys/devices/virtual/dmi/** r,
36+ /sys/devices/pci**/net/*/ifalias r,
37+}
38
39=== added file 'ubuntu/12.04/usr.sbin.lldpd'
40--- ubuntu/12.04/usr.sbin.lldpd 1970-01-01 00:00:00 +0000
41+++ ubuntu/12.04/usr.sbin.lldpd 2014-01-17 13:13:03 +0000
42@@ -0,0 +1,39 @@
43+# Author: James Troup <james.troup@canonical.com>
44+
45+#include <tunables/global>
46+
47+/usr/sbin/lldpd {
48+ #include <abstractions/base>
49+ #include <abstractions/nameservice>
50+
51+ capability chown,
52+ capability dac_override,
53+ capability fowner,
54+ capability fsetid,
55+ capability kill,
56+ capability net_admin,
57+ capability net_raw,
58+ capability setgid,
59+ capability setuid,
60+ capability sys_chroot,
61+ capability sys_module,
62+
63+ network packet raw,
64+
65+ /usr/sbin/lldpcli rix,
66+ /usr/sbin/lldpd mr,
67+
68+ /run/lldpd.pid rw,
69+ /run/lldpd.socket rw,
70+
71+ /run/lldpd/var/ rw,
72+ /run/lldpd/var/** rw,
73+
74+ /etc/os-release r,
75+
76+ /proc/sys/net/ipv4/ip_forward r,
77+
78+ /sys/devices/virtual/dmi/** r,
79+ /sys/devices/virtual/net/** r,
80+ /sys/devices/pci**/net/*/ifalias r,
81+}
82
83=== added file 'ubuntu/13.10/usr.sbin.lldpd'
84--- ubuntu/13.10/usr.sbin.lldpd 1970-01-01 00:00:00 +0000
85+++ ubuntu/13.10/usr.sbin.lldpd 2014-01-17 13:13:03 +0000
86@@ -0,0 +1,39 @@
87+# Author: James Troup <james.troup@canonical.com>
88+
89+#include <tunables/global>
90+
91+/usr/sbin/lldpd {
92+ #include <abstractions/base>
93+ #include <abstractions/nameservice>
94+
95+ capability chown,
96+ capability dac_override,
97+ capability fowner,
98+ capability fsetid,
99+ capability kill,
100+ capability net_admin,
101+ capability net_raw,
102+ capability setgid,
103+ capability setuid,
104+ capability sys_chroot,
105+ capability sys_module,
106+
107+ network packet raw,
108+
109+ /usr/sbin/lldpcli rix,
110+ /usr/sbin/lldpd mr,
111+
112+ /run/lldpd.pid rw,
113+ /run/lldpd.socket rw,
114+
115+ /run/lldpd/var/ rw,
116+ /run/lldpd/var/** rw,
117+
118+ /etc/os-release r,
119+
120+ /proc/sys/net/ipv4/ip_forward r,
121+
122+ /sys/devices/virtual/dmi/** r,
123+ /sys/devices/virtual/net/** r,
124+ /sys/devices/pci**/net/*/ifalias r,
125+}
126
127=== added file 'ubuntu/14.04/usr.sbin.lldpd'
128--- ubuntu/14.04/usr.sbin.lldpd 1970-01-01 00:00:00 +0000
129+++ ubuntu/14.04/usr.sbin.lldpd 2014-01-17 13:13:03 +0000
130@@ -0,0 +1,39 @@
131+# Author: James Troup <james.troup@canonical.com>
132+
133+#include <tunables/global>
134+
135+/usr/sbin/lldpd {
136+ #include <abstractions/base>
137+ #include <abstractions/nameservice>
138+
139+ capability chown,
140+ capability dac_override,
141+ capability fowner,
142+ capability fsetid,
143+ capability kill,
144+ capability net_admin,
145+ capability net_raw,
146+ capability setgid,
147+ capability setuid,
148+ capability sys_chroot,
149+ capability sys_module,
150+
151+ network packet raw,
152+
153+ /usr/sbin/lldpcli rix,
154+ /usr/sbin/lldpd mr,
155+
156+ /run/lldpd.pid rw,
157+ /run/lldpd.socket rw,
158+
159+ /run/lldpd/var/ rw,
160+ /run/lldpd/var/** rw,
161+
162+ /etc/os-release r,
163+
164+ /proc/sys/net/ipv4/ip_forward r,
165+
166+ /sys/devices/virtual/dmi/** r,
167+ /sys/devices/virtual/net/** r,
168+ /sys/devices/pci**/net/*/ifalias r,
169+}

Subscribers

People subscribed via source and target branches

to status/vote changes: