[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

The proposal to merge lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles has been updated. Status: Needs review => Merged For more details, see: https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/86430 -- https://code.launchpad.net/~sdeziel/app

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Review: Approve Approving without 'm' for /etc/passwd and /etc/group per Kees' comment. Thanks! -- https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/86430 Your team AppArmor Developers is subscribed to branch lp:apparmor-profiles. -- AppArmor mailing list AppArmor@lis

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

The "mr" stuff means _executable_ mmap. I looks like unbound have an executable stack. This should likely be fixed instead of adding "mr" to the abstraction, since it is a larger problem: # execstack -q /usr/sbin/unbound X /usr/sbin/unbound -- https://code.launchpad.net/~sdeziel/apparmor-profi

[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles. Requested reviews: AppArmor Developers (apparmor-dev) Related bugs: Bug #897392 in AppArmor Profiles: "[wishlist] add unbound profile" https://bugs.launchpad.net/apparmor-profiles/+bug

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Simon, at this point if we are missing fixes can you submit a new merge against the current apparmor-profiles? -- https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/84024 Your team AppArmor Developers is subscribed to branch lp:apparmor-profiles. -- AppArmor mailing li

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Hi, After Jamie and Felix commented I made a new merge proposal but I think a previous one was merged. From what I see, lp:apparmor-profiles is missing rev 80 to 82 from lp:~sdeziel/apparmor-profiles/unbound-profile Maybe I did the proposal the wrong way, if yes please let me know how to correct

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Hi, On Thu, Dec 15, 2011 at 10:47:09AM +0100, Christian Boltz wrote: > Hello, > > Am Mittwoch, 30. November 2011 schrieb Simon Déziel: > > === modified file 'ubuntu/12.04/usr.sbin.unbound' > ... > > + /etc/passwd rm, > > + /etc/group rm, > > Minor nitpicking: Can someone change this to "mr" in

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Hello, Am Mittwoch, 30. November 2011 schrieb Simon Déziel: > === modified file 'ubuntu/12.04/usr.sbin.unbound' ... > + /etc/passwd rm, > + /etc/group rm, Minor nitpicking: Can someone change this to "mr" instead of "rm", please? Then it would follow the usual order all other profiles have, a

[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

The proposal to merge lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles has been updated. Status: Needs review => Merged For more details, see: https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/84024 -- https://code.launchpad.net/~sdeziel/app

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Felix, you are right about the pid creation requiring the 2 capabilities. The other errors you spotted do not show on Lucid. Thanks for testing this on Oneiric. I'll fix the profile to work under Oneiric. The problem with the handling of /var/lib/unbound/root.key is something I'd like to cleanl

[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles. Requested reviews: Jamie Strandboge (jdstrand) Felix Geyer (debfx) Related bugs: Bug #897392 in AppArmor Profiles: "[wishlist] add unbound profile" https://bugs.launchpad.net/apparmo

[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles. Requested reviews: Jamie Strandboge (jdstrand) Related bugs: Bug #897392 in AppArmor Profiles: "[wishlist] add unbound profile" https://bugs.launchpad.net/apparmor-profiles/+bug/897392

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

I dropped the 2 capabilities that were useless (dac_override and chown). The new merge proposal is also protecting the control and server key while still allowing automatic key update using the auto-trust-anchor-file mechanism (RFC5011). The paths used to express the rules are now covering a reg

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Review: Needs Fixing On Ubuntu 11.10 with a mostly default unbound configuration: Nov 30 11:15:24 felix-ka kernel: [ 4633.749580] type=1400 audit(1322648124.325:120): apparmor="DENIED" operation="file_mmap" parent=4451 profile="/usr/sbin/unbound" name="/etc/passwd" pid=4463 comm="unbound" requ

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

dac_override and chown seem to be necessary to create/chown /var/run/unbound.pid. -- https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83892 Your team AppArmor Developers is subscribed to branch lp:apparmor-profiles. -- AppArmor mailing list AppArmor@lists.ubuntu.com

[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

The proposal to merge lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles has been updated. Status: Needs review => Merged For more details, see: https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83892 -- https://code.launchpad.net/~sdeziel/app

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Review: Approve I have approved this and then made the following change: revno: 80 committer: Jamie Strandboge branch nick: apparmor-profiles timestamp: Wed 2011-11-30 06:57:44 -0600 message: ubuntu/12.04/usr.sbin.unbound: - add authorship - break out non-chroot and chroot parts, as this is

[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

The proposal to merge lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles has been updated. Status: Needs review => Merged For more details, see: https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83842 -- https://code.launchpad.net/~sdeziel/app

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Can you comment why this is needed: capability dac_override, I added a note in the profile in the meantime. -- https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83842 Your team AppArmor Developers is subscribed to branch lp:apparmor-profiles. -- AppArmor mailing lis

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Review: Approve ACK. Thanks! -- https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83842 Your team AppArmor Developers is subscribed to branch lp:apparmor-profiles. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubu

[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

Simon Déziel has proposed merging lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles. Requested reviews: AppArmor Developers (apparmor-dev) Related bugs: Bug #897392 in AppArmor Profiles: "[wishlist] add unbound profile" https://bugs.launchpad.net/apparmor-profiles/+bug