Hello Timo, On 2018-11-09 8:13 a.m., Timo Sigurdsson wrote: > However, I believe the patch is not fully correct. With the proposed > patch, mounting of the notify socket is done unter the condition that > $CHROOT_DIR and $UNBOUND_BASE_DIR are *not* equal. This means that > the socket will not be mounted if you define chroot: /etc/unbound in > your unbound configuration. So, mounting of the notify socket should > be moved outside of the existing if clause and moved into a separate > "if [ -d "$CHROOT_DIR" ]; then" clause.
I don't remember testing with a chroot dir set to /etc/unbound so your point may be valid. However, please note that since Unbound writes to files inside its chroot (auto-trust-anchor-file) it may be best to avoid chroot'ing anywhere under /etc. /var/lib/unbound is a nice candidate IMHO. > This is not the only issue with the current package-helper and chroot > environtments though. The chroot should also contain /dev/random as > the documentation emphasizes Good point. I haven't had the time to actually look at the code itself to confirm if the doc is current or would need to be refreshed (like for /dev/log). If you have the time it would be great! > and the apparmor profile is missing the > capability sys_chroot. I will submit seperate bug reports For those > two issues. AFAIK, this capability has always been part of the apparmor profile [1]. Regards, Simon 1: https://salsa.debian.org/dns-team/unbound/blob/master/debian/apparmor-profile