On 2017-11-27 09:22 AM, Peter Palfrader wrote: > On Mon, 27 Nov 2017, Simon Deziel wrote: > >> On 2017-11-26 03:31 AM, Peter Palfrader wrote: >>> The apparmor policy for unbound allows access to >>> /var/lib/unbound/root.key*, but it does not allow access to any >>> other dynamically updated key the admin might have put there, >>> such as debian.org.key on DSA infrastructure. >>> >>> Please allow access to all key files. >> >> Please see the attached patch. > >> # chrooted paths >> /var/lib/unbound/** r, >> + owner /var/lib/unbound/*.key* rw, >> owner /var/lib/unbound/**/*.key* rw, > > This would allow /var/lib/unbound/root.key "twice", once via root.key, > once via *.key.
Indeed, this patch should be better, thanks Peter.
commit a3325cb68a361f976f5d75ef1e3ebc3642759c07 (HEAD -> bug882731)
Author: Simon Deziel <si...@sdeziel.info>
Date: Mon Nov 27 09:25:42 2017 -0500
Allow accessing and maintaining any trust anchor file, not just the
root one.
Closes #882731
diff --git a/debian/apparmor-profile b/debian/apparmor-profile
index 624341c..3c36b13 100644
--- a/debian/apparmor-profile
+++ b/debian/apparmor-profile
@@ -16,8 +16,8 @@
capability sys_chroot,
capability sys_resource,
- # root trust anchor
- owner /var/lib/unbound/root.key* rw,
+ # auto trust anchors
+ owner /var/lib/unbound/*.key* rw,
# root hints from dns-data-root
/usr/share/dns/root.* r,
signature.asc
Description: OpenPGP digital signature
