Apparmor has a neat feature called "change_hat". In short it allows an application to switch into a less priviledged scope. A common use case is for apache to have a generic profile and then use hats for different vhosts/apps. A profile for pdns-recursor could look like this:
#include <tunables/global>
## if you run without chroot use this line:
@{PDNS_CHROOT} = ""
## if you run with a chroot use this line:
# @{PDNS_CHROOT} = "/var/lib/pdns"
/usr/sbin/pdns_recursor {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
/etc/pdns/recursor.conf r,
@{PDNS_CHROOT}/var/run/pdns/pdns_recursor.controlsocket rwlk,
@{PDNS_CHROOT}/var/run/pdns/pdns_recursor.pid rwl,
@{PDNS_CHROOT}/run/pdns/pdns_recursor.controlsocket rwlk,
@{PDNS_CHROOT}/run/pdns/pdns_recursor.pid rwl,
^afterstart {
# remaining permissions here
# e.g. drop chroot/setgit/setuid
}
}
in the pdns recursor config you would need something like:
Apparmor has a neat feature called "change_hat". In short it allows an application to switch into a less priviledged scope. A common use case is for apache to have a generic profile and then use hats for different vhosts/apps. A profile for pdns-recursor could look like this:
in the pdns recursor config you would need something like:
Examples for the code can be found e.g. in php-fpm change_hat support or Apache.