AppArmor Profiles

Merge lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

  1. unbound-profile
  2. Merge into master
Proposed by Simon Déziel
Status: Superseded
Proposed branch: lp:~sdeziel/apparmor-profiles/unbound-profile
Merge into: lp:apparmor-profiles
Diff against target: 35 lines (+31/-0)
1 file modified
ubuntu/12.04/usr.sbin.unbound (+31/-0)
To merge this branch: bzr merge lp:~sdeziel/apparmor-profiles/unbound-profile
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve
Review via email: mp+83842@code.launchpad.net

This proposal has been superseded by a proposal from 2011-11-30.

Description of the change

This adds a profile for Unbound. It supports chroot'ing (in /var/lib/unbound) as well as privilege downgrade.

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

ACK. Thanks!

review: Approve
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can you comment why this is needed:
  capability dac_override,

I added a note in the profile in the meantime.

lp:~sdeziel/apparmor-profiles/unbound-profile updated
76. By Simon Déziel

remove the useless dac_override capability (thanks Jamie for pointing this out)

77. By Simon Déziel

remove the useless chow capability

78. By Simon Déziel

Unify rules to cover chroot'ed and non-chroot'ed configurations..
Audit/deny write access to unbound_(control|server).key while still
allowing write access to *.key to support the "auto-trust-anchor-file"
mechanism.

79. By Simon Déziel

Merged master branch

80. By Simon Déziel

The pid creation requires the dac_override and chown capabilities. Thanks Felix for pointing this out.

81. By Simon Déziel

Authorize mmap'ing /etc/{passwd,group} as Unbound insists on this. Thanks Felix for pointing this out.

82. By Simon Déziel

The root.key handling is not perfect. Ideally, this file should reside in the chroot
jail but that's not possible until LP: #898287 is addressed. For now, lets allow to
write to the file when not chroot'ed (the default is to run without chroot anyways).

83. By Simon Déziel

Merged lp:apparmor-profiles

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'ubuntu/12.04/usr.sbin.unbound'
2--- ubuntu/12.04/usr.sbin.unbound 1970-01-01 00:00:00 +0000
3+++ ubuntu/12.04/usr.sbin.unbound 2011-11-29 19:47:43 +0000
4@@ -0,0 +1,31 @@
5+# vim:syntax=apparmor
6+#include <tunables/global>
7+
8+/usr/sbin/unbound {
9+ #include <abstractions/base>
10+ #include <abstractions/nameservice>
11+
12+ capability net_bind_service,
13+ capability setgid,
14+ capability setuid,
15+ capability chown,
16+ capability sys_chroot,
17+ capability sys_resource,
18+ capability dac_override,
19+
20+ # for networking
21+ owner @{PROC}/[0-9]*/net/if_inet6 r,
22+ owner @{PROC}/[0-9]*/net/ipv6_route r,
23+
24+ /etc/unbound/** r,
25+ owner /etc/unbound/*.key rw,
26+ audit deny /etc/unbound/unbound_server.key w,
27+ audit deny /etc/unbound/unbound_control.key w,
28+ /var/lib/unbound/** r,
29+ owner /var/lib/unbound/**/*.key rw,
30+ /etc/ssl/openssl.cnf r,
31+
32+ /usr/sbin/unbound mr,
33+
34+ /{,var/}run/unbound.pid rw,
35+}

Subscribers

People subscribed via source and target branches

to status/vote changes: