"deny capability chown" was initially added for the PID file, see [1]. Failing to chown the PID or the control socket is only logged at higher log level specifically to not generate noise when the chown capability isn't available, see [2,3]. The "capability fowner" was removed based on [4].
Currently, the unbound control socket is only accessible to root requiring one to use "sudo unbound-control" (aka the bug at hand): $ ll /run/unbound.ctl srw-rw---- 1 root root 0 Feb 23 18:40 /run/unbound.ctl= Re-introducing the chown/fowner caps would give us: $ ll /run/unbound.ctl srw-rw---- 1 unbound unbound 0 Feb 23 18:38 /run/unbound.ctl= which would fix the bug at the expense of those additional caps. I'd vote in favor of re-introducing the capability for the sake of not having Apparmor "getting in the way". If that's OK with everyone, I'd send the patch to Debian as well. 1: https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230 2: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734 3: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1332 4: https://lists.ubuntu.com/archives/apparmor/2016-January/009278.html ** Bug watch added: www.nlnetlabs.nl/bugs-script/ #734 http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734 ** Bug watch added: www.nlnetlabs.nl/bugs-script/ #1332 http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1332 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1749931 Title: unbound-control local socket broken by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
