search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.69k stars 906 forks source link

Apparmor Changehat support #2223

Open darix opened 9 years ago

darix commented 9 years ago

Apparmor has a neat feature called "change_hat". In short it allows an application to switch into a less priviledged scope. A common use case is for apache to have a generic profile and then use hats for different vhosts/apps. A profile for pdns-recursor could look like this:

#include <tunables/global>
## if you run without chroot use this line:
@{PDNS_CHROOT} = ""
## if you run with a chroot use this line:
# @{PDNS_CHROOT} = "/var/lib/pdns"
/usr/sbin/pdns_recursor {
 #include <abstractions/base>
 #include <abstractions/nameservice>
 capability net_bind_service,
 capability setgid, 
 capability setuid, 
 capability sys_chroot,
 /etc/pdns/recursor.conf r,
 @{PDNS_CHROOT}/var/run/pdns/pdns_recursor.controlsocket rwlk,
 @{PDNS_CHROOT}/var/run/pdns/pdns_recursor.pid rwl,
 @{PDNS_CHROOT}/run/pdns/pdns_recursor.controlsocket rwlk,
 @{PDNS_CHROOT}/run/pdns/pdns_recursor.pid rwl,

 ^afterstart {
  # remaining permissions here
  # e.g. drop chroot/setgit/setuid
 }
}

in the pdns recursor config you would need something like:

apparmor-hat = "afterstart"

Examples for the code can be found e.g. in php-fpm change_hat support or Apache.

Habbie commented 7 years ago

Similar to this, support for OpenBSD pledge would be cool to have.