| Apache/2.4.7 (Ubuntu) Linux sman1baleendah 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 uid=33(www-data) gid=33(www-data) groups=33(www-data) safemode : OFF MySQL: ON | Perl: ON | cURL: OFF | WGet: ON > / etc / apparmor.d / | server ip : 172.67.156.115 your ip : 172.70.127.90 H O M E |
| Filename | /etc/apparmor.d/sbin.dhclient |
| Size | 2.32 kb |
| Permission | rw-r--r-- |
| Owner | root : root |
| Create time | 27-Apr-2025 09:50 |
| Last modified | 07-Apr-2014 21:37 |
| Last accessed | 05-Jul-2025 11:25 |
| Actions | edit | rename | delete | download (gzip) |
| View | text | code | image |
# vim:syntax=apparmor
# Last Modified: Fri Jul 17 11:46:19 2009
# Author: Jamie Strandboge <[email protected]>
#include <tunables/global>
/sbin/dhclient {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability net_raw,
capability sys_module,
capability dac_override,
capability net_admin,
network packet,
network raw,
@{PROC}/[0-9]*/net/ r,
@{PROC}/[0-9]*/net/** r,
/sbin/dhclient mr,
# LP: #1197484 and LP: #1202203 - why is this needed? :(
/bin/bash mr,
/etc/dhclient.conf r,
/etc/dhcp/ r,
/etc/dhcp/** r,
/var/lib/dhcp{,3}/dhclient* lrw,
/{,var/}run/dhclient*.pid lrw,
/{,var/}run/dhclient*.lease* lrw,
# NetworkManager
/{,var/}run/nm*conf r,
/{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw,
/var/lib/NetworkManager/dhclient*.conf lrw,
/var/lib/NetworkManager/dhclient*.lease* lrw,
# connman
/{,var/}run/connman/dhclient*.pid lrw,
/{,var/}run/connman/dhclient*.leases lrw,
# synce-hal
/usr/share/synce-hal/dhclient.conf r,
# if there is a custom script, let it run unconfined
/etc/dhcp/dhclient-script Uxr,
# The dhclient-script shell script sources other shell scripts rather than
# executing them, so we can't just use a separate profile for dhclient-script
# with 'Uxr' on the hook scripts. However, for the long-running dhclient3
# daemon to run arbitrary code via /sbin/dhclient-script, it would need to be
# able to subvert dhclient-script or write to the hooks.d directories. As
# such, if the dhclient3 daemon is subverted, this effectively limits it to
# only being able to run the hooks scripts.
/sbin/dhclient-script Uxr,
# Run the ELF executables under their own unrestricted profiles
/usr/lib/NetworkManager/nm-dhcp-client.action Pxrm,
/usr/lib/connman/scripts/dhclient-script Pxrm,
# Site-specific additions and overrides. See local/README for details.
#include <local/sbin.dhclient>
}
/usr/lib/NetworkManager/nm-dhcp-client.action {
#include <abstractions/base>
#include <abstractions/dbus>
/usr/lib/NetworkManager/nm-dhcp-client.action mr,
/var/lib/NetworkManager/*lease r,
}
/usr/lib/connman/scripts/dhclient-script {
#include <abstractions/base>
#include <abstractions/dbus>
/usr/lib/connman/scripts/dhclient-script mr,
}
# Last Modified: Fri Jul 17 11:46:19 2009
# Author: Jamie Strandboge <[email protected]>
#include <tunables/global>
/sbin/dhclient {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability net_raw,
capability sys_module,
capability dac_override,
capability net_admin,
network packet,
network raw,
@{PROC}/[0-9]*/net/ r,
@{PROC}/[0-9]*/net/** r,
/sbin/dhclient mr,
# LP: #1197484 and LP: #1202203 - why is this needed? :(
/bin/bash mr,
/etc/dhclient.conf r,
/etc/dhcp/ r,
/etc/dhcp/** r,
/var/lib/dhcp{,3}/dhclient* lrw,
/{,var/}run/dhclient*.pid lrw,
/{,var/}run/dhclient*.lease* lrw,
# NetworkManager
/{,var/}run/nm*conf r,
/{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw,
/var/lib/NetworkManager/dhclient*.conf lrw,
/var/lib/NetworkManager/dhclient*.lease* lrw,
# connman
/{,var/}run/connman/dhclient*.pid lrw,
/{,var/}run/connman/dhclient*.leases lrw,
# synce-hal
/usr/share/synce-hal/dhclient.conf r,
# if there is a custom script, let it run unconfined
/etc/dhcp/dhclient-script Uxr,
# The dhclient-script shell script sources other shell scripts rather than
# executing them, so we can't just use a separate profile for dhclient-script
# with 'Uxr' on the hook scripts. However, for the long-running dhclient3
# daemon to run arbitrary code via /sbin/dhclient-script, it would need to be
# able to subvert dhclient-script or write to the hooks.d directories. As
# such, if the dhclient3 daemon is subverted, this effectively limits it to
# only being able to run the hooks scripts.
/sbin/dhclient-script Uxr,
# Run the ELF executables under their own unrestricted profiles
/usr/lib/NetworkManager/nm-dhcp-client.action Pxrm,
/usr/lib/connman/scripts/dhclient-script Pxrm,
# Site-specific additions and overrides. See local/README for details.
#include <local/sbin.dhclient>
}
/usr/lib/NetworkManager/nm-dhcp-client.action {
#include <abstractions/base>
#include <abstractions/dbus>
/usr/lib/NetworkManager/nm-dhcp-client.action mr,
/var/lib/NetworkManager/*lease r,
}
/usr/lib/connman/scripts/dhclient-script {
#include <abstractions/base>
#include <abstractions/dbus>
/usr/lib/connman/scripts/dhclient-script mr,
}