ANN: DNS resolver changes in yakkety
Jamie Strandboge
jamie at canonical.com
Fri Jun 24 13:35:59 UTC 2016
On Fri, 2016-06-24 at 11:24 +0200, Martin Pitt wrote:
> Marc Deslauriers [2016-06-16 12:06 +0300]:
> > For touch and confined applications, if this turns out to be a privacy
> > concern
> > for our users, we can either turn off caching by default for the touch
> > devices,
> > or we can disable caching only for confined applications by adding some sort
> > of
> > AppArmor integration.
> I'm not sure how AppArmor or MAC in general could influence this. The
> only way "around" this would be to change nsswitch.conf for that
> particular process to not use "resolve" at all, but direct queries of
> the upstream DNS servers, but this would again break link specific DNS
> servers. So realistically this appears to me as a system-global
> decision.
>
I'm not suggesting we do this now or anything, but resolved could use the
libapparmor API to query for the security label of the connecting process and
therefore make decisions based on that label. For a simplistic but clear
example: if the label is unconfined, serve from cache, if not, don't.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20160624/0cf5f487/attachment.pgp>
More information about the ubuntu-devel
mailing list