Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/unbound-profile
into lp:apparmor-profiles.
Requested reviews:
AppArmor Developers (apparmor-dev)
Related bugs:
Bug #897392 in AppArmor Profiles: "[wishlist] add unbound profile"
https://bugs.launchpad.net/apparmor-profiles/+bug/897392
For more details, see:
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83842
This adds a profile for Unbound. It supports chroot'ing (in /var/lib/unbound)
as well as privilege downgrade.
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83842
Your team AppArmor Developers is requested to review the proposed merge of
lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles.
=== added file 'ubuntu/12.04/usr.sbin.unbound'
--- ubuntu/12.04/usr.sbin.unbound 1970-01-01 00:00:00 +0000
+++ ubuntu/12.04/usr.sbin.unbound 2011-11-29 19:47:43 +0000
@@ -0,0 +1,31 @@
+# vim:syntax=apparmor
+#include <tunables/global>
+
+/usr/sbin/unbound {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability chown,
+ capability sys_chroot,
+ capability sys_resource,
+ capability dac_override,
+
+ # for networking
+ owner @{PROC}/[0-9]*/net/if_inet6 r,
+ owner @{PROC}/[0-9]*/net/ipv6_route r,
+
+ /etc/unbound/** r,
+ owner /etc/unbound/*.key rw,
+ audit deny /etc/unbound/unbound_server.key w,
+ audit deny /etc/unbound/unbound_control.key w,
+ /var/lib/unbound/** r,
+ owner /var/lib/unbound/**/*.key rw,
+ /etc/ssl/openssl.cnf r,
+
+ /usr/sbin/unbound mr,
+
+ /{,var/}run/unbound.pid rw,
+}
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
