Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/unbound-profile
into lp:apparmor-profiles.
Requested reviews:
AppArmor Developers (apparmor-dev)
Related bugs:
Bug #897392 in AppArmor Profiles: "[wishlist] add unbound profile"
https://bugs.launchpad.net/apparmor-profiles/+bug/897392
For more details, see:
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/86430
Jamie, here is the new merge proposal for the Unbound profile that you asked
for. Thanks.
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/86430
Your team AppArmor Developers is requested to review the proposed merge of
lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles.
=== modified file 'ubuntu/12.04/usr.sbin.unbound'
--- ubuntu/12.04/usr.sbin.unbound 2011-11-30 12:57:44 +0000
+++ ubuntu/12.04/usr.sbin.unbound 2011-12-20 16:55:25 +0000
@@ -11,14 +11,22 @@
capability setuid,
capability sys_chroot,
capability sys_resource,
+ capability chown,
+ capability dac_override,
# for networking
owner @{PROC}/[0-9]*/net/if_inet6 r,
owner @{PROC}/[0-9]*/net/ipv6_route r,
+ # unbound wants to mmap those files but that's not
+ # authorized in the nameservice abstraction
+ /etc/passwd rm,
+ /etc/group rm,
+
# non-chrooted paths
/etc/unbound/** r,
owner /etc/unbound/*.key rw,
+ owner /var/lib/unbound/root.key rw,
audit deny /etc/unbound/unbound_{control,server}.key w,
# chrooted paths
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
