On 04/05/2012 01:47 PM, Christian Boltz wrote: > Hello, > sorry for the delay, very busy lately for some reason :/
> should we check all profiles if they need inet6 added? > yes, thanks for bringing this up > (Note that I don't have an IPv6 setup here, so I can't test it.) > > > A quick grep shows the following candidates: > > a) profiles/apparmor.d/ > >> bin.ping: network inet raw, > > Does /bin/ping also work for ipv6 or is that the job of the separate > /bin/ping6 binary? ping6 doesn't have a profile yet - maybe we could > solve it by changing the profile name to /bin/ping{,6} ? > yes ping supports ipv6 >> sbin.klogd: network inet stream, > > Does klogd support IPv6? > not that I know of, and a quick google didn't turn up anything >> usr.lib.dovecot.managesieve-login: network inet stream, > > Same question here ;-) - usr.lib.dovecot.imap-login has IPv6 support > (see separate mail with patch some minutes ago), so chances are good. > err, wasn't this addressed here https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/978584 >> usr.sbin.dnsmasq: network inet raw, > yep > ... and here > >> usr.sbin.nscd: network inet dgram, >> usr.sbin.nscd: network inet stream, > yep > ... and here > >> usr.sbin.ntpd: network inet dgram, >> usr.sbin.ntpd: network inet stream, >> usr.sbin.ntpd: network inet6 stream, > > ... and here - but only for inet6 dgram. Note that inet{,6} stream is > already allowed. > I am not sure but would assume so > > b) profiles/apparmor/profiles/extras/ > >> usr.sbin.dhcpd: network inet raw, > > Does dhcpd also handle IPv6 or is there a separate version? > > hrmmm, I believe it can be run in either mode, so either ipv4 or ipv6. I am not sure it can do both simultaneously. > Fortunately most profiles get network access via abstractions, which > already include support for IPv4 and IPv6. > yes, and no. Its covered a lot by default but once we tighten things down I am not so sure it will be something we want in the base abstractions anymore > > > Regards, > > Christian Boltz -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor