Hmm, I might have been too quick to add the caps denial. I understand your 
concern about masking future problems but on the other hand, Apparmor denials 
would have people wondering about what's going on.

I was tempted to ask upstream to skip the chown'ing if the PID is outside of 
the chroot but then one setting the PID to be in the chroot would be missing 
the caps... Would that be the least bad option?


-- 
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230
Your team AppArmor Developers is requested to review the proposed merge of 
lp:~sdeziel/apparmor-profiles/unbound-refresh into lp:apparmor-profiles.

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to