Add some stuff

systems/lctr-a72xx/fs/etc/apparmor.d/sbin.dhclient

@@ -0,0 +1,105 @@
+# vim:syntax=apparmor
+#include <tunables/global>
+
+/{,usr/}sbin/dhclient flags=(attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+
+  capability net_bind_service,
+  capability net_raw,
+  capability dac_override,
+  capability net_admin,
+
+  network packet,
+  network raw,
+
+  @{PROC}/[0-9]*/net/ r,
+  @{PROC}/[0-9]*/net/** r,
+
+  /{,usr/}sbin/dhclient mr,
+  # LP: #1197484 and LP: #1202203 - why is this needed? :(
+  /{,usr/}bin/bash mr,
+
+  /etc/dhclient.conf r,
+  /etc/dhcp/ r,
+  /etc/dhcp/** r,
+
+  /var/lib/dhcp{,3}/dhclient* lrw,
+  /{,var/}run/dhclient*.pid lrw,
+  /{,var/}run/dhclient*.lease* lrw,
+
+  # NetworkManager
+  /{,var/}run/nm*conf r,
+  /{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw,
+  /var/lib/NetworkManager/dhclient*.conf lrw,
+  /var/lib/NetworkManager/dhclient*.lease* lrw,
+  signal (receive) peer=/usr/sbin/NetworkManager,
+  ptrace (readby) peer=/usr/sbin/NetworkManager,
+
+  # connman
+  /{,var/}run/connman/dhclient*.pid lrw,
+  /{,var/}run/connman/dhclient*.leases lrw,
+
+  # synce-hal
+  /usr/share/synce-hal/dhclient.conf r,
+
+  # if there is a custom script, let it run unconfined
+  /etc/dhcp/dhclient-script Uxr,
+
+  # The dhclient-script shell script sources other shell scripts rather than
+  # executing them, so we can't just use a separate profile for dhclient-script
+  # with 'Uxr' on the hook scripts. However, for the long-running dhclient3
+  # daemon to run arbitrary code via /sbin/dhclient-script, it would need to be
+  # able to subvert dhclient-script or write to the hooks.d directories. As
+  # such, if the dhclient3 daemon is subverted, this effectively limits it to
+  # only being able to run the hooks scripts.
+  /{,usr/}sbin/dhclient-script                           Uxr,
+
+  # Run the ELF executables under their own unrestricted profiles
+  /usr/lib/NetworkManager/nm-dhcp-client.action   Pxrm,
+  /usr/lib/connman/scripts/dhclient-script        Pxrm,
+
+  # Support the new executable helper from NetworkManager.
+  /usr/lib/NetworkManager/nm-dhcp-helper          Pxrm,
+  signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/sbin.dhclient>
+}
+
+/usr/lib/NetworkManager/nm-dhcp-client.action {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+  /usr/lib/NetworkManager/nm-dhcp-client.action mr,
+
+  /var/lib/NetworkManager/*lease r,
+  signal (receive) peer=/usr/sbin/NetworkManager,
+  ptrace (readby) peer=/usr/sbin/NetworkManager,
+  network inet dgram,
+  network inet6 dgram,
+}
+
+/usr/lib/NetworkManager/nm-dhcp-helper {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+  /usr/lib/NetworkManager/nm-dhcp-helper mr,
+
+  /run/NetworkManager/private-dhcp rw,
+  signal (send) peer=/sbin/dhclient,
+
+  /var/lib/NetworkManager/*lease r,
+  signal (receive) peer=/usr/sbin/NetworkManager,
+  ptrace (readby) peer=/usr/sbin/NetworkManager,
+  network inet dgram,
+  network inet6 dgram,
+}
+
+/usr/lib/connman/scripts/dhclient-script {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+  /usr/lib/connman/scripts/dhclient-script      mr,
+  network inet dgram,
+  network inet6 dgram,
+}
+