apparmor: allow yggdrasil to resolve hostnames (#739)
The apparmor profile in it's current state won't allow resolving hostnames. We need `<abstractions/nameservice>` because we simply can't just allow `/etc/resolv.conf`. This is because systemd-resolved, resolvconf, and others rely on symbolic links to `/etc/resolv.conf` which would make this extremely complicated. `<abstractions/nameservice>` deals with this complexity to allow every single one of those packages (systemd-resolved, resolvconf, ... ).
```
network inet stream,
network inet dgram,
network inet6 dgram,
network inet6 stream,
network netlink raw,
```
was removed because it's already included in `<abstractions/nameservice>`. Some permissions that are no longer needed in newer yggdrasil versions were also removed.
`owner /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,` was changed to `/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,` because there is no guarantee that yggdrasil will always be run as root. (`owner` makes sure that the process's user and the file have the same owner, in that case, root. This might not always be the case so `owner` was removed)
2020-12-06 23:52:10 +03:00
|
|
|
# Last Modified: Fri Oct 30 11:33:31 2020
|
2019-03-09 16:15:14 +03:00
|
|
|
#include <tunables/global>
|
|
|
|
|
|
|
|
|
|
/usr/bin/yggdrasil {
|
|
|
|
|
#include <abstractions/base>
|
apparmor: allow yggdrasil to resolve hostnames (#739)
The apparmor profile in it's current state won't allow resolving hostnames. We need `<abstractions/nameservice>` because we simply can't just allow `/etc/resolv.conf`. This is because systemd-resolved, resolvconf, and others rely on symbolic links to `/etc/resolv.conf` which would make this extremely complicated. `<abstractions/nameservice>` deals with this complexity to allow every single one of those packages (systemd-resolved, resolvconf, ... ).
```
network inet stream,
network inet dgram,
network inet6 dgram,
network inet6 stream,
network netlink raw,
```
was removed because it's already included in `<abstractions/nameservice>`. Some permissions that are no longer needed in newer yggdrasil versions were also removed.
`owner /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,` was changed to `/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,` because there is no guarantee that yggdrasil will always be run as root. (`owner` makes sure that the process's user and the file have the same owner, in that case, root. This might not always be the case so `owner` was removed)
2020-12-06 23:52:10 +03:00
|
|
|
#include <abstractions/nameservice>
|
2019-03-09 16:15:14 +03:00
|
|
|
|
|
|
|
|
capability net_admin,
|
2020-03-10 17:47:41 +03:00
|
|
|
capability net_raw,
|
2019-03-09 16:15:14 +03:00
|
|
|
|
|
|
|
|
/dev/net/tun rw,
|
apparmor: allow yggdrasil to resolve hostnames (#739)
The apparmor profile in it's current state won't allow resolving hostnames. We need `<abstractions/nameservice>` because we simply can't just allow `/etc/resolv.conf`. This is because systemd-resolved, resolvconf, and others rely on symbolic links to `/etc/resolv.conf` which would make this extremely complicated. `<abstractions/nameservice>` deals with this complexity to allow every single one of those packages (systemd-resolved, resolvconf, ... ).
```
network inet stream,
network inet dgram,
network inet6 dgram,
network inet6 stream,
network netlink raw,
```
was removed because it's already included in `<abstractions/nameservice>`. Some permissions that are no longer needed in newer yggdrasil versions were also removed.
`owner /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,` was changed to `/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,` because there is no guarantee that yggdrasil will always be run as root. (`owner` makes sure that the process's user and the file have the same owner, in that case, root. This might not always be the case so `owner` was removed)
2020-12-06 23:52:10 +03:00
|
|
|
/proc/sys/net/core/somaxconn r,
|
|
|
|
|
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
2019-03-09 16:15:14 +03:00
|
|
|
|
|
|
|
|
/etc/yggdrasil.conf rw,
|
|
|
|
|
/run/yggdrasil.sock rw,
|
|
|
|
|
}
|
