This is a short apparmor profile for the program. I’ve removed all abstractions, and it works for me.
# Last Modified: Sat Jul 6 02:21:04 2013
# This Apparmor profile is provided by insanitybit.com , and if there are updates that # is where you will find them. Report
# issues or changes there please!
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
The dnscrypt-proxy service can run as a separate user, and chroot itself into the directory and drop rights. It also makes use of compiler security flags, so it’s PIE enabled, uses full RELRO, and stack protection. It’s pretty cool, but I like to be sure, so enforcing an apparmor profile is always nice.
With this apparmor profile enabled an attacker who compromises DNSCrypt will have absolutely no write access to the file system, and incredibly limited read access. The most viable option at this point is for them to go for a local kernel exploit.