[pkg-apparmor] Bug#810888: bin.ping: does not let iputils-ping read /etc/libnl-3 or @{PROC}/@{pid}/net/psched
Simon McVittie
smcv at debian.org
Fri Feb 5 17:44:03 UTC 2016
On Wed, 13 Jan 2016 at 13:04:00 +0100, intrigeri wrote:
> Just curious, how can I trigger them locally?
After further investigation of this issue, libnl-3-200 is actually
pulled into confined processes on my system via libnss-gw-name. So
I think this should actually be part of the nameservice abstraction,
and I'd like to suggest this alternative patch:
--- apparmor_2.10-3_amd64/etc/apparmor.d/abstractions/nameservice 2016-01-25 23:24:22.000000000 +0000
+++ /etc/apparmor.d/abstractions/nameservice 2016-02-02 13:49:52.929534484 +0000
@@ -93,3 +93,7 @@
# interface details
@{PROC}/@{pid}/net/route r,
+
+ # libnl-3-200 via libnss-gw-name
+ @{PROC}/@{pid}/net/psched r,
+ /etc/libnl-*/classid r,
Regards,
S
More information about the pkg-apparmor-team
mailing list