[PR PATCH] apparmor: fix dnsmasq profile

[PR PATCH] apparmor: fix dnsmasq profile

[noarchwastaken]

[-- Attachment #1: Type: text/plain, Size: 1631 bytes --]

There is a new pull request by noarchwastaken against master on the void-packages repository

https://github.com/noarchwastaken/void-packages apparmor-dnsmasq
https://github.com/void-linux/void-packages/pull/30142

apparmor: fix dnsmasq profile
Closes #29343

<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!-- 
#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/30142.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-dnsmasq-30142.patch --]
[-- Type: text/x-diff, Size: 5128 bytes --]

From 751860552b3c14d1a4384e6cc460d0d462af7f41 Mon Sep 17 00:00:00 2001
From: noarchwastaken <noarch@n0ar.ch>
Date: Sat, 10 Apr 2021 23:48:59 -0400
Subject: [PATCH] apparmor: fix dnsmasq profile

---
 .../apparmor/files/profiles/usr.sbin.dnsmasq  | 136 ++++++++++++++++++
 srcpkgs/apparmor/template                     |   2 +-
 2 files changed, 137 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/apparmor/files/profiles/usr.sbin.dnsmasq

diff --git a/srcpkgs/apparmor/files/profiles/usr.sbin.dnsmasq b/srcpkgs/apparmor/files/profiles/usr.sbin.dnsmasq
new file mode 100644
index 000000000000..27a2d46049f5
--- /dev/null
+++ b/srcpkgs/apparmor/files/profiles/usr.sbin.dnsmasq
@@ -0,0 +1,136 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2009 John Dong <jdong@ubuntu.com>
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
+
+include <tunables/global>
+profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/dbus>
+  include <abstractions/nameservice>
+
+  capability chown,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability dac_override,
+  capability net_admin,         # for DHCP server
+  capability net_raw,           # for DHCP server ping checks
+  network inet raw,
+  network inet6 raw,
+
+  signal (receive) peer=/usr/{bin,sbin}/libvirtd,
+  signal (receive) peer=libvirtd,
+  ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
+  ptrace (readby) peer=libvirtd,
+
+  owner /dev/tty rw,
+
+  @{PROC}/@{pid}/fd/ r,
+
+  /etc/dnsmasq.conf r,
+  /etc/dnsmasq.d/ r,
+  /etc/dnsmasq.d/* r,
+  /etc/dnsmasq.d-available/ r,
+  /etc/dnsmasq.d-available/* r,
+  /etc/ethers r,
+  /etc/NetworkManager/dnsmasq.d/ r,
+  /etc/NetworkManager/dnsmasq.d/* r,
+  /etc/NetworkManager/dnsmasq-shared.d/ r,
+  /etc/NetworkManager/dnsmasq-shared.d/* r,
+  /etc/dnsmasq-conf.conf r,
+  /etc/dnsmasq-resolv.conf r,
+
+  /usr/{bin,sbin}/dnsmasq mr,
+
+  /var/log/dnsmasq*.log w,
+
+  /usr/share/dnsmasq{-base,}/ r,
+  /usr/share/dnsmasq{-base,}/* r,
+
+  @{run}/*dnsmasq*.pid w,
+  @{run}/dnsmasq-forwarders.conf r,
+  @{run}/dnsmasq/ r,
+  @{run}/dnsmasq/* rw,
+
+  /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+
+  /{,usr/}bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
+
+  # access to iface mtu needed for Router Advertisement messages in IPv6
+  # Neighbor Discovery protocol (RFC 2461)
+  @{PROC}/sys/net/ipv6/conf/*/mtu r,
+
+  # for the read-only TFTP server
+  @{TFTP_DIR}/ r,
+  @{TFTP_DIR}/** r,
+
+  # libvirt config and hosts file for dnsmasq
+  /var/lib/libvirt/dnsmasq/          r,
+  /var/lib/libvirt/dnsmasq/*         r,
+
+  # libvirt pid files for dnsmasq
+  @{run}/libvirt/network/      r,
+  @{run}/libvirt/network/*.pid rw,
+
+  # libvirt lease helper
+  /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
+  /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
+
+  # lxc-net pid and lease files
+  @{run}/lxc/dnsmasq.pid    rw,
+  /var/lib/misc/dnsmasq.*.leases rw,
+
+  # lxd-bridge pid and lease files
+  @{run}/lxd-bridge/dnsmasq.pid   rw,
+  /var/lib/lxd-bridge/dnsmasq.*.leases rw,
+  /var/lib/lxd/networks/*/dnsmasq.* r,
+  /var/lib/lxd/networks/*/dnsmasq.leases rw,
+  /var/lib/lxd/networks/*/dnsmasq.pid rw,
+
+  # NetworkManager integration
+  /var/lib/NetworkManager/dnsmasq-*.leases rw,
+  @{run}/nm-dns-dnsmasq.conf r,
+  @{run}/nm-dnsmasq-*.pid rw,
+  @{run}/sendsigs.omit.d/*dnsmasq.pid w,
+  @{run}/NetworkManager/dnsmasq.conf r,
+  @{run}/NetworkManager/dnsmasq.pid w,
+  @{run}/NetworkManager/NetworkManager.pid w,
+
+  profile libvirt_leaseshelper {
+    include <abstractions/base>
+
+    /etc/libnl-3/classid r,
+
+    /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
+    /usr/libexec/libvirt_leaseshelper mr,
+
+    owner @{PROC}/@{pid}/net/psched r,
+    owner @{PROC}/@{pid}/status r,
+
+    @{sys}/devices/system/cpu/ r,
+    @{sys}/devices/system/node/ r,
+    @{sys}/devices/system/node/*/meminfo r,
+
+    # libvirt lease and status files for dnsmasq
+    /var/lib/libvirt/dnsmasq/*.leases  rw,
+    /var/lib/libvirt/dnsmasq/*.status* rw,
+
+    @{run}/leaseshelper.pid rwk,
+  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.dnsmasq>
+}
\ No newline at end of file
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index dfbd3ef472fa..0d8c1ec7087e 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=3
+revision=4
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure

Re: apparmor: fix dnsmasq profile

[noarchwastaken]

[-- Attachment #1: Type: text/plain, Size: 504 bytes --]

New comment by noarchwastaken on void-packages repository

https://github.com/void-linux/void-packages/pull/30142#issuecomment-817244282

Comment:
> I'd name it `usr.bin.dnsmasq`, for void purposes.
> 
> Commit message should include profile origin too. That said, I'd rather not vendor this in, if possible...

The profile comes from the current default, with the change stated [here](https://github.com/void-linux/void-packages/issues/29343#issuecomment-817241508), and I kept the original naming.

Re: apparmor: fix dnsmasq profile

[noarchwastaken]

[-- Attachment #1: Type: text/plain, Size: 269 bytes --]

New comment by noarchwastaken on void-packages repository

https://github.com/void-linux/void-packages/pull/30142#issuecomment-817244584

Comment:
This is actually the first time that I touched apparmor profiles, and I would like to know if there is a better solution.

Re: apparmor: fix dnsmasq profile

[FollieHiyuki]

[-- Attachment #1: Type: text/plain, Size: 237 bytes --]

New comment by FollieHiyuki on void-packages repository

https://github.com/void-linux/void-packages/pull/30142#issuecomment-817272259

Comment:
We can add rules to `/etc/apparmor.d/local/` if touching the main profile rule is not ideal

Re: apparmor: fix dnsmasq profile

[paper42]

[-- Attachment #1: Type: text/plain, Size: 1468 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/30142#issuecomment-817280088

Comment:
I think this is a bigger problem that requires a better solution. apparmor's upstream often fixes their profiles[1] when new versions of software require new permissions, but void ships profiles from the last apparmor release which are often broken by the time a new release comes out. The simplest solution right now I can think of would involve creating a new package with apparmor profiles which would track upstream's master.
The best solution may be to create a new void-appamor git repository which would track new versions of software in void[2], because there are often some void specific permissions. This would also allow us to have profiles for more packages than what upstream provides, but this will require dedicating some time to it.

> We can add rules to /etc/apparmor.d/local/ if touching the main profile rule is not ideal

@FollieHiyuki I think `/etc/apparmor.d/local/` is meant for user customizations, so distributions shouldn't touch that if not neccessary (for example nvidia graphics cards may require different permissions than intel or amd).

[[1] many commits to apparmor profiles since the last release 4 months ago](https://gitlab.com/apparmor/apparmor/-/commits/master/profiles/apparmor.d)
[[2] Apparmor profile plumbing issue](https://github.com/void-linux/void-infrastructure/issues/82)

Re: apparmor: fix dnsmasq profile

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 327 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/30142#issuecomment-817302778

Comment:
Instead of vendoring the whole file, patching it would be a lot cleaner and we would actually notice if the vendoring is not necessary or there have been changes in the upstream profile.

Re: [PR PATCH] [Updated] apparmor: fix dnsmasq profile

[noarchwastaken]

[-- Attachment #1: Type: text/plain, Size: 1636 bytes --]

There is an updated pull request by noarchwastaken against master on the void-packages repository

https://github.com/noarchwastaken/void-packages apparmor-dnsmasq
https://github.com/void-linux/void-packages/pull/30142

apparmor: fix dnsmasq profile
Closes #29343

<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!-- 
#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/30142.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-dnsmasq-30142.patch --]
[-- Type: text/x-diff, Size: 1628 bytes --]

From c4d43a5daee9d6fe56f0b1d9895c64e3173dd13b Mon Sep 17 00:00:00 2001
From: noarchwastaken <noarch@n0ar.ch>
Date: Sun, 11 Apr 2021 13:30:39 -0400
Subject: [PATCH] fix dnsmasq profile

---
 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch | 13 +++++++++++++
 srcpkgs/apparmor/template                          |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch

diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
new file mode 100644
index 000000000000..99ba9d3b5ab9
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
@@ -0,0 +1,13 @@
+diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
+index 7ae9a148..a32d24ca 100644
+--- a/profiles/apparmor.d/usr.sbin.dnsmasq
++++ b/profiles/apparmor.d/usr.sbin.dnsmasq
+@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
+     /etc/libnl-3/classid r,
+ 
+     /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
+-    /usr/libexec/libvirt_leaseshelper m,
++    /usr/libexec/libvirt_leaseshelper mr,
+ 
+     owner @{PROC}/@{pid}/net/psched r,
+     owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index dfbd3ef472fa..0d8c1ec7087e 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=3
+revision=4
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure

Re: apparmor: fix dnsmasq profile

[noarchwastaken]

[-- Attachment #1: Type: text/plain, Size: 189 bytes --]

New comment by noarchwastaken on void-packages repository

https://github.com/void-linux/void-packages/pull/30142#issuecomment-817345100

Comment:
I changed it into a patch. Please review.

Re: apparmor: fix dnsmasq profile

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 220 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/30142#issuecomment-817345572

Comment:
A lot better, just change the commit message to `apparmor: fix dnsmaq profile`.

Re: [PR PATCH] [Updated] apparmor: fix dnsmasq profile

[noarchwastaken]

[-- Attachment #1: Type: text/plain, Size: 1636 bytes --]

There is an updated pull request by noarchwastaken against master on the void-packages repository

https://github.com/noarchwastaken/void-packages apparmor-dnsmasq
https://github.com/void-linux/void-packages/pull/30142

apparmor: fix dnsmasq profile
Closes #29343

<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!-- 
#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/30142.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-dnsmasq-30142.patch --]
[-- Type: text/x-diff, Size: 1638 bytes --]

From 75733e86f25e963ad66f3c55fa8313674fdede57 Mon Sep 17 00:00:00 2001
From: noarchwastaken <noarch@n0ar.ch>
Date: Sun, 11 Apr 2021 13:30:39 -0400
Subject: [PATCH] apparmor: fix dnsmasq profile

---
 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch | 13 +++++++++++++
 srcpkgs/apparmor/template                          |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch

diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
new file mode 100644
index 000000000000..99ba9d3b5ab9
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
@@ -0,0 +1,13 @@
+diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
+index 7ae9a148..a32d24ca 100644
+--- a/profiles/apparmor.d/usr.sbin.dnsmasq
++++ b/profiles/apparmor.d/usr.sbin.dnsmasq
+@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
+     /etc/libnl-3/classid r,
+ 
+     /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
+-    /usr/libexec/libvirt_leaseshelper m,
++    /usr/libexec/libvirt_leaseshelper mr,
+ 
+     owner @{PROC}/@{pid}/net/psched r,
+     owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index dfbd3ef472fa..0d8c1ec7087e 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=3
+revision=4
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure

Re: [PR PATCH] [Merged]: apparmor: fix dnsmasq profile

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 1457 bytes --]

There's a merged pull request on the void-packages repository

apparmor: fix dnsmasq profile
https://github.com/void-linux/void-packages/pull/30142

Description:
Closes #29343

<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!-- 
#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl
-->