Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/unbound-profile
into lp:apparmor-profiles.
Requested reviews:
Jamie Strandboge (jdstrand)
Felix Geyer (debfx)
Related bugs:
Bug #897392 in AppArmor Profiles: "[wishlist] add unbound profile"
https://bugs.launchpad.net/apparmor-profiles/+bug/897392
For more details, see:
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/84024
This adds a profile for Unbound. It supports chroot'ing (in /var/lib/unbound)
as well as privilege downgrade.
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/84024
Your team AppArmor Developers is subscribed to branch lp:apparmor-profiles.
=== modified file 'ubuntu/12.04/usr.sbin.unbound'
--- ubuntu/12.04/usr.sbin.unbound 2011-11-30 12:57:44 +0000
+++ ubuntu/12.04/usr.sbin.unbound 2011-11-30 21:51:24 +0000
@@ -11,14 +11,22 @@
capability setuid,
capability sys_chroot,
capability sys_resource,
+ capability chown,
+ capability dac_override,
# for networking
owner @{PROC}/[0-9]*/net/if_inet6 r,
owner @{PROC}/[0-9]*/net/ipv6_route r,
+ # unbound wants to mmap those files but that's not
+ # authorized in the nameservice abstraction
+ /etc/passwd rm,
+ /etc/group rm,
+
# non-chrooted paths
/etc/unbound/** r,
owner /etc/unbound/*.key rw,
+ owner /var/lib/unbound/root.key rw,
audit deny /etc/unbound/unbound_{control,server}.key w,
# chrooted paths
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
