[Pkg-swan-devel] Bug#915147: should that be an opt-in?
Christian Ehrhardt
christian.ehrhardt at canonical.com
Mon Dec 3 07:03:08 GMT 2018
Hi I thought write should be admin opt-in,
the profile already has
#include <abstractions/nameservice>
which has
/etc/resolv.conf r,
Yes your Deny is a write Deny and that is why you add a "w" rule, but
I thought that should be an explicit admin opt-in for security
reasons. After all changing name resolution is a nice place to start
an attack and opening that (by default) to software that is reachable
from the outside by design might not be too good.
Maybe we could ship a commented out line with some comment what it is
used for and ask users to "put that in your apparmor...local... file
if you want to use ..."
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
More information about the Pkg-swan-devel
mailing list