Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/unbound-profile
into lp:apparmor-profiles.
Requested reviews:
Jamie Strandboge (jdstrand)
Related bugs:
Bug #897392 in AppArmor Profiles: "[wishlist] add unbound profile"
https://bugs.launchpad.net/apparmor-profiles/+bug/897392
For more details, see:
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83892
This adds a profile for Unbound. It supports chroot'ing (in /var/lib/unbound)
as well as privilege downgrade.
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83892
Your team AppArmor Developers is subscribed to branch lp:apparmor-profiles.
=== modified file 'ubuntu/12.04/usr.sbin.unbound'
--- ubuntu/12.04/usr.sbin.unbound 2011-11-29 23:48:10 +0000
+++ ubuntu/12.04/usr.sbin.unbound 2011-11-30 04:41:24 +0000
@@ -9,22 +9,22 @@
capability net_bind_service,
capability setgid,
capability setuid,
- capability chown,
capability sys_chroot,
capability sys_resource,
+<<<<<<< TREE
# TODO: note why this is needed
capability dac_override,
+=======
+>>>>>>> MERGE-SOURCE
# for networking
owner @{PROC}/[0-9]*/net/if_inet6 r,
owner @{PROC}/[0-9]*/net/ipv6_route r,
- /etc/unbound/** r,
- owner /etc/unbound/*.key rw,
- audit deny /etc/unbound/unbound_server.key w,
- audit deny /etc/unbound/unbound_control.key w,
- /var/lib/unbound/** r,
- owner /var/lib/unbound/**/*.key rw,
+ /{,var/lib/unbound/}etc/unbound/** r,
+ owner /{,var/lib/unbound/}etc/unbound/*.key rw,
+ audit deny /{,var/lib/unbound/}etc/unbound/unbound_server.key w,
+ audit deny /{,var/lib/unbound/}etc/unbound/unbound_control.key w,
/etc/ssl/openssl.cnf r,
/usr/sbin/unbound mr,
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
