Add profile for tinydns
Kees Cook
kees.cook at canonical.com
Tue Jun 8 17:15:47 BST 2010
Hi,
On Tue, Jun 08, 2010 at 10:39:33AM -0500, Jamie Strandboge wrote:
> Seth Arnold submitted[1] an AppArmor profile for tinydns[2]:
> # Last Modified: Sun Jun 6 20:49:33 2010
> #include <tunables/global>
>
> /usr/sbin/tinyproxy {
> #include <abstractions/base>
> #include <abstractions/nameservice>
>
> capability setgid,
> capability setuid,
>
> /etc/tinyproxy.conf r,
> /home/tinyproxy/ r,
> /var/log/tinyproxy/tinyproxy.log rw,
> /var/run/tinyproxy/tinyproxy.pid rw,
> /usr/share/tinyproxy/*.html r,
> /tmp/tinyproxy.shared.* rw,
> /tmp/tinyproxy.servers.* rwk,
> }
>
> Not being a tinydns user, the profile looks ok to me, though I might
> suggest the following (untested) refinements:
>
> @{HOME}/tinyproxy/ r,
I think this should be @{HOMEDIRS}/tinyproxy/ r,
> owner /tmp/tinyproxy.shared.* rw,
> owner /tmp/tinyproxy.servers.* rwk,
Unrelated to AppArmor specifically, but has the creation method of these
files been checked? Is it doing /tmp files safely?
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the AppArmor
mailing list