Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/refresh-unbound
into lp:apparmor-profiles.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~sdeziel/apparmor-profiles/refresh-unbound/+merge/268924
Nicolas Braud-Santoni's proposed profile update [1] made me revisit the Unbound
profile. This merge proposal includes Nicolas' changes and drops unneeded
rules/capabilities.
It also fixes and improves the rules protecting unbound_control.{key,pem} and
unbound_sever.key.
Thank you
1: https://lists.ubuntu.com/archives/apparmor/2015-August/008492.html
--
Your team AppArmor Developers is requested to review the proposed merge of
lp:~sdeziel/apparmor-profiles/refresh-unbound into lp:apparmor-profiles.
=== modified file 'ubuntu/15.04/usr.sbin.unbound'
--- ubuntu/15.04/usr.sbin.unbound 2014-10-24 19:02:18 +0000
+++ ubuntu/15.04/usr.sbin.unbound 2015-08-24 14:26:23 +0000
@@ -11,23 +11,21 @@
capability setuid,
capability sys_chroot,
capability sys_resource,
- capability chown,
- capability dac_override,
- # for networking
- owner @{PROC}/[0-9]*/net/if_inet6 r,
- owner @{PROC}/[0-9]*/net/ipv6_route r,
+ # root trust anchor
+ owner /var/lib/unbound/root.key* rw,
# non-chrooted paths
/etc/unbound/** r,
- owner /etc/unbound/*.key rw,
- owner /var/lib/unbound/root.key rw,
- audit deny /etc/unbound/unbound_{control,server}.key w,
+ owner /etc/unbound/*.key* rw,
+ audit deny /etc/unbound/unbound_control.{key,pem} rw,
+ audit deny /etc/unbound/unbound_server.key w,
# chrooted paths
/var/lib/unbound/** r,
- owner /var/lib/unbound/**/*.key rw,
- audit deny /var/lib/unbound/unbound_{control,server}.key w,
+ owner /var/lib/unbound/**/*.key* rw,
+ audit deny /var/lib/unbound/**/unbound_control.{key,pem} rw,
+ audit deny /var/lib/unbound/**/unbound_server.key w,
/etc/ssl/openssl.cnf r,
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
