From 751860552b3c14d1a4384e6cc460d0d462af7f41 Mon Sep 17 00:00:00 2001
From: noarchwastaken <noarch@n0ar.ch>
Date: Sat, 10 Apr 2021 23:48:59 -0400
Subject: [PATCH] apparmor: fix dnsmasq profile

---
 .../apparmor/files/profiles/usr.sbin.dnsmasq  | 136 ++++++++++++++++++
 srcpkgs/apparmor/template                     |   2 +-
 2 files changed, 137 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/apparmor/files/profiles/usr.sbin.dnsmasq

diff --git a/srcpkgs/apparmor/files/profiles/usr.sbin.dnsmasq b/srcpkgs/apparmor/files/profiles/usr.sbin.dnsmasq
new file mode 100644
index 000000000000..27a2d46049f5
--- /dev/null
+++ b/srcpkgs/apparmor/files/profiles/usr.sbin.dnsmasq
@@ -0,0 +1,136 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2009 John Dong <jdong@ubuntu.com>
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
+
+include <tunables/global>
+profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/dbus>
+  include <abstractions/nameservice>
+
+  capability chown,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability dac_override,
+  capability net_admin,         # for DHCP server
+  capability net_raw,           # for DHCP server ping checks
+  network inet raw,
+  network inet6 raw,
+
+  signal (receive) peer=/usr/{bin,sbin}/libvirtd,
+  signal (receive) peer=libvirtd,
+  ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
+  ptrace (readby) peer=libvirtd,
+
+  owner /dev/tty rw,
+
+  @{PROC}/@{pid}/fd/ r,
+
+  /etc/dnsmasq.conf r,
+  /etc/dnsmasq.d/ r,
+  /etc/dnsmasq.d/* r,
+  /etc/dnsmasq.d-available/ r,
+  /etc/dnsmasq.d-available/* r,
+  /etc/ethers r,
+  /etc/NetworkManager/dnsmasq.d/ r,
+  /etc/NetworkManager/dnsmasq.d/* r,
+  /etc/NetworkManager/dnsmasq-shared.d/ r,
+  /etc/NetworkManager/dnsmasq-shared.d/* r,
+  /etc/dnsmasq-conf.conf r,
+  /etc/dnsmasq-resolv.conf r,
+
+  /usr/{bin,sbin}/dnsmasq mr,
+
+  /var/log/dnsmasq*.log w,
+
+  /usr/share/dnsmasq{-base,}/ r,
+  /usr/share/dnsmasq{-base,}/* r,
+
+  @{run}/*dnsmasq*.pid w,
+  @{run}/dnsmasq-forwarders.conf r,
+  @{run}/dnsmasq/ r,
+  @{run}/dnsmasq/* rw,
+
+  /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+
+  /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
+
+  # access to iface mtu needed for Router Advertisement messages in IPv6
+  # Neighbor Discovery protocol (RFC 2461)
+  @{PROC}/sys/net/ipv6/conf/*/mtu r,
+
+  # for the read-only TFTP server
+  @{TFTP_DIR}/ r,
+  @{TFTP_DIR}/** r,
+
+  # libvirt config and hosts file for dnsmasq
+  /var/lib/libvirt/dnsmasq/          r,
+  /var/lib/libvirt/dnsmasq/*         r,
+
+  # libvirt pid files for dnsmasq
+  @{run}/libvirt/network/      r,
+  @{run}/libvirt/network/*.pid rw,
+
+  # libvirt lease helper
+  /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
+  /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
+
+  # lxc-net pid and lease files
+  @{run}/lxc/dnsmasq.pid    rw,
+  /var/lib/misc/dnsmasq.*.leases rw,
+
+  # lxd-bridge pid and lease files
+  @{run}/lxd-bridge/dnsmasq.pid   rw,
+  /var/lib/lxd-bridge/dnsmasq.*.leases rw,
+  /var/lib/lxd/networks/*/dnsmasq.* r,
+  /var/lib/lxd/networks/*/dnsmasq.leases rw,
+  /var/lib/lxd/networks/*/dnsmasq.pid rw,
+
+  # NetworkManager integration
+  /var/lib/NetworkManager/dnsmasq-*.leases rw,
+  @{run}/nm-dns-dnsmasq.conf r,
+  @{run}/nm-dnsmasq-*.pid rw,
+  @{run}/sendsigs.omit.d/*dnsmasq.pid w,
+  @{run}/NetworkManager/dnsmasq.conf r,
+  @{run}/NetworkManager/dnsmasq.pid w,
+  @{run}/NetworkManager/NetworkManager.pid w,
+
+  profile libvirt_leaseshelper {
+    include <abstractions/base>
+
+    /etc/libnl-3/classid r,
+
+    /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
+    /usr/libexec/libvirt_leaseshelper mr,
+
+    owner @{PROC}/@{pid}/net/psched r,
+    owner @{PROC}/@{pid}/status r,
+
+    @{sys}/devices/system/cpu/ r,
+    @{sys}/devices/system/node/ r,
+    @{sys}/devices/system/node/*/meminfo r,
+
+    # libvirt lease and status files for dnsmasq
+    /var/lib/libvirt/dnsmasq/*.leases  rw,
+    /var/lib/libvirt/dnsmasq/*.status* rw,
+
+    @{run}/leaseshelper.pid rwk,
+  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.dnsmasq>
+}
\ No newline at end of file
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index dfbd3ef472fa..0d8c1ec7087e 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=3
+revision=4
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure