Ubuntu 16.04: Enforce sbin.dhclient profile to AppArmor

Table of Contents

1 Install AppArmor

Install AppArmor with this article.

2 Modify and apply sbin.dhclient profile

Use /usr/share/doc/apparmor-profiles/extras/sbin.dhclient as example.

$ sudo cp /usr/share/doc/apparmor-profiles/extras/sbin.dhclient /etc/apparmor.d/

Modify /etc/apparmor.d/sbin.dhclient with the following patch. This patch is created by DENIED message.

But This cannot suppress DENIED like name=”run/systemd/journal/dev-log”. AppArmor treats run/systemd/journal/dev-log as syntax error.

$ cd /etc/apparmor.d/$ cat <<EOF | sudo patch -p1— a/sbin.dhclient 2017-03-16 10:11:02.000000000 +0900+++ b/sbin.dhclient 2017-06-14 23:41:28.360129670 +0900@@ -74,7 +74,9 @@ /etc/sysconfig/network/scripts/functions r, /sbin/ip mrix, /usr/lib/NetworkManager/nm-dhcp-client.action mrix,+ /usr/lib/NetworkManager/nm-dhcp-helper ix, /var/lib/dhcp/* rw, /{,var/}run/nm-dhclient-*.conf r,-+ /{,var/}run/NetworkManager/private-dhcp rw,+ /{,var/}run/systemd/journal/dev-log w, }EOF

Enforce sbin.dhclient profile.

$ sudo aa-enforce /etc/apparmor.d/sbin.dhclient

Android | Linux | SDL - Narrow Escape