[pkg-dhcp-devel] Bug#795467: isc-dhcp-client: Please include AppArmor profile for dhclient

[intrigeri at debian.org]

Package: isc-dhcp-client
Version: 4.3.2-1
Severity: wishlist
X-Debbug-Cc: pkg-apparmor-team at lists.alioth.debian.org
Tags: patch

Hi,

dhclient typically runs as root, is meant to access the network, and
has had grave security issues in the past (e.g. CVE-2011-0997,
CVE-2009-0692, CVE-2000-0585), so it feels like it should one of the
highest priority target for AppArmor confinement in Debian.

Ubuntu has been confining dhclient with AppArmor since more than
6 years (9.04).

I've been using their AppArmor profile on my personal laptop for more
than a year now, without any problem that wasn't resolved promptly.
This profile has been very stable for a while, and only very minor
changes are needed to update it from time to time (e.g.
when NetworkManager changes the location of its DHCP helper script).

Please consider applying the attached patch, that confines dhclient
with AppArmor. In the current state of things in Debian, this is
a no-op unless the user has explicitly enabled AppArmor on the kernel
command-line. If you ever have issues with this AppArmor profile in
the future, e.g. bug reports you're not sure how to handle, you can
count on the pkg-apparmor team to give you a hand (we have a set of
usertags that you can use to put a bug report on our radar):

https://lists.debian.org/debian-devel-announce/2015/03/msg00008.html

Note that Ubuntu also ships a profile for the DHCP server, but I've
not tested it on Debian so it's out-of-scope here: the attached patch
only includes the client's profile.

If you have any question or doubt, please let me know.

Cheers,
--
intrigeri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-enforcing-AppArmor-profile-for-dhclient-taken-fr.patch
Type: text/x-diff
Size: 7516 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-dhcp-devel/attachments/20150814/3d3baa90/attachment.patch>