[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles
Kees Cook
kees at ubuntu.com
Thu Dec 15 17:40:50 UTC 2011
Hi,
On Thu, Dec 15, 2011 at 10:47:09AM +0100, Christian Boltz wrote:
> Hello,
>
> Am Mittwoch, 30. November 2011 schrieb Simon Déziel:
> > === modified file 'ubuntu/12.04/usr.sbin.unbound'
> ...
> > + /etc/passwd rm,
> > + /etc/group rm,
>
> Minor nitpicking: Can someone change this to "mr" instead of "rm",
> please? Then it would follow the usual order all other profiles have,
> and would also avoid misunderstandings if an AppArmor newbie reads the
> profile ("what, unbound is allowed to delete (rm) /etc/passwdd?!?")
>
> Needless to say: I pre-ACK this change ;-)
Er, sorry I missed this before. If anything ever needs "m" on a
non-library, something is usually wrong with the binary itself. It is
likely running with the READ_IMPLIES_EXEC personality. I don't think we
should allow such unsafe environments. They should be _found_ because of
the lack of "m" on these files.
-Kees
--
Kees Cook
More information about the AppArmor
mailing list