AppArmor Profiles

Merge lp:~sdeziel/apparmor-profiles/refresh-unbound into lp:apparmor-profiles

  1. refresh-unbound
  2. Merge into master
Proposed by Simon Déziel
Status: Merged
Merged at revision: 146
Proposed branch: lp:~sdeziel/apparmor-profiles/refresh-unbound
Merge into: lp:apparmor-profiles
Diff against target: 34 lines (+8/-10)
1 file modified
ubuntu/15.04/usr.sbin.unbound (+8/-10)
To merge this branch: bzr merge lp:~sdeziel/apparmor-profiles/refresh-unbound
Reviewer Review Type Date Requested Status
AppArmor Developers Pending
Review via email: mp+268924@code.launchpad.net

Description of the change

Nicolas Braud-Santoni's proposed profile update [1] made me revisit the Unbound profile. This merge proposal includes Nicolas' changes and drops unneeded rules/capabilities.

It also fixes and improves the rules protecting unbound_control.{key,pem} and unbound_sever.key.

Thank you

1: https://lists.ubuntu.com/archives/apparmor/2015-August/008492.html

To post a comment you must log in.
Revision history for this message
nicoo (nicolas+ubuntu1) wrote :

Looks good to me. Will test

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'ubuntu/15.04/usr.sbin.unbound'
--- ubuntu/15.04/usr.sbin.unbound 2014-10-24 19:02:18 +0000
+++ ubuntu/15.04/usr.sbin.unbound 2015-08-24 14:26:23 +0000
@@ -11,23 +11,21 @@
11 capability setuid,11 capability setuid,
12 capability sys_chroot,12 capability sys_chroot,
13 capability sys_resource,13 capability sys_resource,
14 capability chown,
15 capability dac_override,
1614
17 # for networking15 # root trust anchor
18 owner @{PROC}/[0-9]*/net/if_inet6 r,16 owner /var/lib/unbound/root.key* rw,
19 owner @{PROC}/[0-9]*/net/ipv6_route r,
2017
21 # non-chrooted paths18 # non-chrooted paths
22 /etc/unbound/** r,19 /etc/unbound/** r,
23 owner /etc/unbound/*.key rw,20 owner /etc/unbound/*.key* rw,
24 owner /var/lib/unbound/root.key rw,21 audit deny /etc/unbound/unbound_control.{key,pem} rw,
25 audit deny /etc/unbound/unbound_{control,server}.key w,22 audit deny /etc/unbound/unbound_server.key w,
2623
27 # chrooted paths24 # chrooted paths
28 /var/lib/unbound/** r,25 /var/lib/unbound/** r,
29 owner /var/lib/unbound/**/*.key rw,26 owner /var/lib/unbound/**/*.key* rw,
30 audit deny /var/lib/unbound/unbound_{control,server}.key w,27 audit deny /var/lib/unbound/**/unbound_control.{key,pem} rw,
28 audit deny /var/lib/unbound/**/unbound_server.key w,
3129
32 /etc/ssl/openssl.cnf r,30 /etc/ssl/openssl.cnf r,
3331

Subscribers

People subscribed via source and target branches

to status/vote changes: