Bug#934869: /etc/apparmor.d/usr.sbin.dnsmasq: profile doesn’t allow dnsmasq-base DNSSEC files

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#934869: /etc/apparmor.d/usr.sbin.dnsmasq: profile doesn’t allow dnsmasq-base DNSSEC files

James Rowe
Package: apparmor-profiles
Version: 2.13.2-10
Severity: normal
File: /etc/apparmor.d/usr.sbin.dnsmasq

Dear Maintainer,

  If DNSSEC validation is enabled in the dnsmasq config file then the
/usr/share/dnsmasq-base/trust-anchors.conf should be read by dnsmasq.
However, the profile doesn’t allow access to it.

  The following simple patch enables reading the DNS setup from
dnsmasq-base:

--- a/usr.sbin.dnsmasq
+++ b/usr.sbin.dnsmasq
@@ -51,6 +51,8 @@
 
   /usr/share/dnsmasq/ r,
   /usr/share/dnsmasq/* r,
+  /usr/share/dnsmasq-base/ r,
+  /usr/share/dnsmasq-base/* r,
 
   /{,var/}run/*dnsmasq*.pid w,
   /{,var/}run/dnsmasq-forwarders.conf r,

Thanks,

James

-- System Information:
Debian Release: 10.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor-profiles depends on:
ii  apparmor  2.13.2-10

apparmor-profiles recommends no packages.

apparmor-profiles suggests no packages.

-- no debconf information
Reply | Threaded
Open this post in threaded view
|

Bug#934869: [pkg-apparmor] Bug#934869: /etc/apparmor.d/usr.sbin.dnsmasq: profile doesn’t allow dnsmasq-base DNSSEC files

intrigeri-4
Control: forwarded -1 https://gitlab.com/apparmor/apparmor/-/merge_requests/547

Hi,

James Rowe (2019-08-16):
>   If DNSSEC validation is enabled in the dnsmasq config file then the
> /usr/share/dnsmasq-base/trust-anchors.conf should be read by dnsmasq.
> However, the profile doesn’t allow access to it.
>
>   The following simple patch enables reading the DNS setup from
> dnsmasq-base:

Thank you.

I've forwarded this as a merge request upstream:
https://gitlab.com/apparmor/apparmor/-/merge_requests/547

I expect the fix will be part of the upstream 3.0 release.

Next time, please consider submitting your fixes directly there:
taking me off the critical path would surely speed up the process
considerably :)

Reply | Threaded
Open this post in threaded view
|

Bug#934869: [pkg-apparmor] Bug#934869: /etc/apparmor.d/usr.sbin.dnsmasq: profile doesn’t allow dnsmasq-base DNSSEC files

James Rowe
* intrigeri ([hidden email]) wrote:
> Next time, please consider submitting your fixes directly there:
> taking me off the critical path would surely speed up the process
> considerably :)

  Thanks!  And sorry, I remember struggling a little with where and
against which package(apparmor/dnsmasq) to file the bug.  I'll Try
Harder™

Thanks,

James