Friday, 24 June 2016

Re: ANN: DNS resolver changes in yakkety

On Fri, 2016-06-24 at 11:24 +0200, Martin Pitt wrote:
> Marc Deslauriers [2016-06-16 12:06 +0300]:

> > For touch and confined applications, if this turns out to be a privacy
> > concern
> > for our users, we can either turn off caching by default for the touch
> > devices,
> > or we can disable caching only for confined applications by adding some sort
> > of
> > AppArmor integration.
> I'm not sure how AppArmor or MAC in general could influence this. The
> only way "around" this would be to change nsswitch.conf for that
> particular process to not use "resolve" at all, but direct queries of
> the upstream DNS servers, but this would again break link specific DNS
> servers. So realistically this appears to me as a system-global
> decision.
I'm not suggesting we do this now or anything, but resolved could use the
libapparmor API to query for the security label of the connecting process and
therefore make decisions based on that label. For a simplistic but clear
example: if the label is unconfined, serve from cache, if not, don't.

Jamie Strandboge |