AppArmor Profiles

Merge lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles

  1. unbound-profile
  2. Merge into master
Proposed by Simon Déziel
Status: Superseded
Proposed branch: lp:~sdeziel/apparmor-profiles/unbound-profile
Merge into: lp:apparmor-profiles
Diff against target: 33 lines (+7/-7) (has conflicts)
1 file modified
ubuntu/12.04/usr.sbin.unbound (+7/-7)
Text conflict in ubuntu/12.04/usr.sbin.unbound
To merge this branch: bzr merge lp:~sdeziel/apparmor-profiles/unbound-profile
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve
Felix Geyer (community) Needs Fixing
Review via email: mp+83892@code.launchpad.net

This proposal supersedes a proposal from 2011-11-29.

This proposal has been superseded by a proposal from 2011-11-30.

Description of the change

This adds a profile for Unbound. It supports chroot'ing (in /var/lib/unbound) as well as privilege downgrade.

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Posted in a previous version of this proposal

ACK. Thanks!

review: Approve
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Posted in a previous version of this proposal

Can you comment why this is needed:
  capability dac_override,

I added a note in the profile in the meantime.

Revision history for this message
Simon Déziel (sdeziel) wrote :

I dropped the 2 capabilities that were useless (dac_override and chown). The new merge proposal is also protecting the control and server key while still allowing automatic key update using the auto-trust-anchor-file mechanism (RFC5011). The paths used to express the rules are now covering a regular setup and a chrooted one using this syntax :

/{,var/lib/unbound/}etc/unbound

Revision history for this message
Felix Geyer (debfx) wrote :

On Ubuntu 11.10 with a mostly default unbound configuration:

Nov 30 11:15:24 felix-ka kernel: [ 4633.749580] type=1400 audit(1322648124.325:120): apparmor="DENIED" operation="file_mmap" parent=4451 profile="/usr/sbin/unbound" name="/etc/passwd" pid=4463 comm="unbound" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
Nov 30 11:15:24 felix-ka kernel: [ 4633.750649] type=1400 audit(1322648124.325:121): apparmor="DENIED" operation="capable" parent=4463 profile="/usr/sbin/unbound" pid=4464 comm="unbound" capability=1 capname="dac_override"
Nov 30 11:15:24 felix-ka kernel: [ 4633.750912] type=1400 audit(1322648124.325:122): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/unbound" pid=4464 comm="unbound" capability=0 capname="chown"
Nov 30 11:15:24 felix-ka kernel: [ 4633.751098] type=1400 audit(1322648124.325:123): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/sbin/unbound" name="/etc/group" pid=4464 comm="unbound" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
Nov 30 11:15:24 felix-ka kernel: [ 4633.752543] type=1400 audit(1322648124.329:124): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/unbound" name="/var/lib/unbound/root.key" pid=4464 comm="unbound" requested_mask="r" denied_mask="r" fsuid=115 ouid=115

review: Needs Fixing
Revision history for this message
Felix Geyer (debfx) wrote :

dac_override and chown seem to be necessary to create/chown /var/run/unbound.pid.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I have approved this and then made the following change:
revno: 80
committer: Jamie Strandboge <email address hidden>
branch nick: apparmor-profiles
timestamp: Wed 2011-11-30 06:57:44 -0600
message:
  ubuntu/12.04/usr.sbin.unbound:
  - add authorship
  - break out non-chroot and chroot parts, as this is easier to audit to
    my eyes anyway
diff:
=== modified file 'ubuntu/12.04/usr.sbin.unbound'
--- ubuntu/12.04/usr.sbin.unbound 2011-11-30 12:56:26 +0000
+++ ubuntu/12.04/usr.sbin.unbound 2011-11-30 12:57:44 +0000
@@ -1,4 +1,4 @@
-# TODO: comment on why we need 'capability dac_override'
+# Author: Simon Deziel
 # vim:syntax=apparmor
 #include <tunables/global>

@@ -16,10 +16,16 @@
   owner @{PROC}/[0-9]*/net/if_inet6 r,
   owner @{PROC}/[0-9]*/net/ipv6_route r,

- /{,var/lib/unbound/}etc/unbound/** r,
- owner /{,var/lib/unbound/}etc/unbound/*.key rw,
- audit deny /{,var/lib/unbound/}etc/unbound/unbound_server.key w,
- audit deny /{,var/lib/unbound/}etc/unbound/unbound_control.key w,
+ # non-chrooted paths
+ /etc/unbound/** r,
+ owner /etc/unbound/*.key rw,
+ audit deny /etc/unbound/unbound_{control,server}.key w,
+
+ # chrooted paths
+ /var/lib/unbound/** r,
+ owner /var/lib/unbound/**/*.key rw,
+ audit deny /var/lib/unbound/unbound_{control,server}.key w,
+
   /etc/ssl/openssl.cnf r,

   /usr/sbin/unbound mr,

review: Approve
Revision history for this message
Simon Déziel (sdeziel) wrote :

Felix, you are right about the pid creation requiring the 2 capabilities. The other errors you spotted do not show on Lucid. Thanks for testing this on Oneiric. I'll fix the profile to work under Oneiric.

The problem with the handling of /var/lib/unbound/root.key is something I'd like to cleanly address in LP: #898287.

lp:~sdeziel/apparmor-profiles/unbound-profile updated
79. By Simon Déziel

Merged master branch

80. By Simon Déziel

The pid creation requires the dac_override and chown capabilities. Thanks Felix for pointing this out.

81. By Simon Déziel

Authorize mmap'ing /etc/{passwd,group} as Unbound insists on this. Thanks Felix for pointing this out.

82. By Simon Déziel

The root.key handling is not perfect. Ideally, this file should reside in the chroot
jail but that's not possible until LP: #898287 is addressed. For now, lets allow to
write to the file when not chroot'ed (the default is to run without chroot anyways).

83. By Simon Déziel

Merged lp:apparmor-profiles

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'ubuntu/12.04/usr.sbin.unbound'
2--- ubuntu/12.04/usr.sbin.unbound 2011-11-29 23:48:10 +0000
3+++ ubuntu/12.04/usr.sbin.unbound 2011-11-30 04:41:24 +0000
4@@ -9,22 +9,22 @@
5 capability net_bind_service,
6 capability setgid,
7 capability setuid,
8- capability chown,
9 capability sys_chroot,
10 capability sys_resource,
11+<<<<<<< TREE
12 # TODO: note why this is needed
13 capability dac_override,
14+=======
15+>>>>>>> MERGE-SOURCE
16
17 # for networking
18 owner @{PROC}/[0-9]*/net/if_inet6 r,
19 owner @{PROC}/[0-9]*/net/ipv6_route r,
20
21- /etc/unbound/** r,
22- owner /etc/unbound/*.key rw,
23- audit deny /etc/unbound/unbound_server.key w,
24- audit deny /etc/unbound/unbound_control.key w,
25- /var/lib/unbound/** r,
26- owner /var/lib/unbound/**/*.key rw,
27+ /{,var/lib/unbound/}etc/unbound/** r,
28+ owner /{,var/lib/unbound/}etc/unbound/*.key rw,
29+ audit deny /{,var/lib/unbound/}etc/unbound/unbound_server.key w,
30+ audit deny /{,var/lib/unbound/}etc/unbound/unbound_control.key w,
31 /etc/ssl/openssl.cnf r,
32
33 /usr/sbin/unbound mr,

Subscribers

People subscribed via source and target branches

to status/vote changes: