Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles.
Requested reviews: AppArmor Developers (apparmor-dev) Related bugs: Bug #897392 in AppArmor Profiles: "[wishlist] add unbound profile" https://bugs.launchpad.net/apparmor-profiles/+bug/897392 For more details, see: https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83842 This adds a profile for Unbound. It supports chroot'ing (in /var/lib/unbound) as well as privilege downgrade. -- https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83842 Your team AppArmor Developers is requested to review the proposed merge of lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles.
=== added file 'ubuntu/12.04/usr.sbin.unbound' --- ubuntu/12.04/usr.sbin.unbound 1970-01-01 00:00:00 +0000 +++ ubuntu/12.04/usr.sbin.unbound 2011-11-29 19:47:43 +0000 @@ -0,0 +1,31 @@ +# vim:syntax=apparmor +#include <tunables/global> + +/usr/sbin/unbound { + #include <abstractions/base> + #include <abstractions/nameservice> + + capability net_bind_service, + capability setgid, + capability setuid, + capability chown, + capability sys_chroot, + capability sys_resource, + capability dac_override, + + # for networking + owner @{PROC}/[0-9]*/net/if_inet6 r, + owner @{PROC}/[0-9]*/net/ipv6_route r, + + /etc/unbound/** r, + owner /etc/unbound/*.key rw, + audit deny /etc/unbound/unbound_server.key w, + audit deny /etc/unbound/unbound_control.key w, + /var/lib/unbound/** r, + owner /var/lib/unbound/**/*.key rw, + /etc/ssl/openssl.cnf r, + + /usr/sbin/unbound mr, + + /{,var/}run/unbound.pid rw, +}
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor