# vim:syntax=apparmor
# Last Modified: Fri Jul 17 11:46:19 2009
# Author: Jamie Strandboge <jamie@canonical.com>
#include <tunables/global>

/sbin/dhclient3 {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability net_raw,
  capability sys_module,
  capability dac_override,

  network packet,
  network raw,

  @{PROC}/*/net/ r,
  @{PROC}/*/net/** r,

  /sbin/dhclient3 mr,

  /etc/dhclient.conf r,
  /etc/dhcp3/ r,
  /etc/dhcp3/** r,

  /var/lib/dhcp3/dhclient* lrw,
  /var/run/dhclient*.pid lrw,
  /var/run/dhclient*.lease* lrw,

  # NetworkManager
  /var/run/nm*conf r,

  # connman
  /var/run/connman/dhclient*.pid lrw,
  /var/run/connman/dhclient*.leases lrw,

  # synce-hal
  /usr/share/synce-hal/dhclient.conf r,

  # if there is a custom script, let it run unconfined
  /etc/dhcp3/dhclient-script Uxr,

  # The dhclient-script shell script sources other shell scripts rather than
  # executing them, so we can't just use a separate profile for dhclient-script
  # with 'Uxr' on the hook scripts. However, for the long-running dhclient3
  # daemon to run arbitrary code via /sbin/dhclient-script, it would need to be
  # able to subvert dhclient-script or write to the hooks.d directories. As
  # such, if the dhclient3 daemon is subverted, this effectively limits it to
  # only being able to run the hooks scripts.
  /sbin/dhclient-script                           Uxr,

  # Run the ELF executables under their own unrestricted profiles
  /usr/lib/NetworkManager/nm-dhcp-client.action   Pxr,
  /usr/lib/connman/scripts/dhclient-script        Pxr,
}

/usr/lib/NetworkManager/nm-dhcp-client.action {
  #include <abstractions/base>
  #include <abstractions/dbus>
  /usr/lib/NetworkManager/nm-dhcp-client.action mr,
}

/usr/lib/connman/scripts/dhclient-script {
  #include <abstractions/base>
  #include <abstractions/dbus>
  /usr/lib/connman/scripts/dhclient-script      mr,
}