[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/unbound-profile into lp:apparmor-profiles
Jamie Strandboge
jamie at ubuntu.com
Wed Nov 30 13:00:30 UTC 2011
Review: Approve
I have approved this and then made the following change:
revno: 80
committer: Jamie Strandboge <jamie at canonical.com>
branch nick: apparmor-profiles
timestamp: Wed 2011-11-30 06:57:44 -0600
message:
ubuntu/12.04/usr.sbin.unbound:
- add authorship
- break out non-chroot and chroot parts, as this is easier to audit to
my eyes anyway
diff:
=== modified file 'ubuntu/12.04/usr.sbin.unbound'
--- ubuntu/12.04/usr.sbin.unbound 2011-11-30 12:56:26 +0000
+++ ubuntu/12.04/usr.sbin.unbound 2011-11-30 12:57:44 +0000
@@ -1,4 +1,4 @@
-# TODO: comment on why we need 'capability dac_override'
+# Author: Simon Deziel
# vim:syntax=apparmor
#include <tunables/global>
@@ -16,10 +16,16 @@
owner @{PROC}/[0-9]*/net/if_inet6 r,
owner @{PROC}/[0-9]*/net/ipv6_route r,
- /{,var/lib/unbound/}etc/unbound/** r,
- owner /{,var/lib/unbound/}etc/unbound/*.key rw,
- audit deny /{,var/lib/unbound/}etc/unbound/unbound_server.key w,
- audit deny /{,var/lib/unbound/}etc/unbound/unbound_control.key w,
+ # non-chrooted paths
+ /etc/unbound/** r,
+ owner /etc/unbound/*.key rw,
+ audit deny /etc/unbound/unbound_{control,server}.key w,
+
+ # chrooted paths
+ /var/lib/unbound/** r,
+ owner /var/lib/unbound/**/*.key rw,
+ audit deny /var/lib/unbound/unbound_{control,server}.key w,
+
/etc/ssl/openssl.cnf r,
/usr/sbin/unbound mr,
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-profile/+merge/83892
Your team AppArmor Developers is subscribed to branch lp:apparmor-profiles.
More information about the AppArmor
mailing list