Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/unbound-refresh into lp:apparmor-profiles.
Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230 -- Your team AppArmor Developers is requested to review the proposed merge of lp:~sdeziel/apparmor-profiles/unbound-refresh into lp:apparmor-profiles.
=== modified file 'ubuntu/16.04/usr.sbin.unbound' --- ubuntu/16.04/usr.sbin.unbound 2015-10-27 01:49:53 +0000 +++ ubuntu/16.04/usr.sbin.unbound 2016-01-11 21:27:00 +0000 @@ -6,6 +6,10 @@ #include <abstractions/base> #include <abstractions/nameservice> + capability fowner, + capability fsetid, + capability chown, + capability dac_override, capability net_bind_service, capability setgid, capability setuid, @@ -15,6 +19,9 @@ # root trust anchor owner /var/lib/unbound/root.key* rw, + # root hints from dns-data-root + /usr/share/dns/root.* r, + # non-chrooted paths /etc/unbound/** r, owner /etc/unbound/*.key* rw, @@ -32,4 +39,7 @@ /usr/sbin/unbound mr, /{,var/}run/unbound.pid rw, + + # Unix control socket + /{,var/}run/unbound.ctl rw, }
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor