From 83f7fe4b8402bab171d110703a1b1115efbc9b28 Mon Sep 17 00:00:00 2001 From: Lukasz Kasprzak Date: Tue, 14 Apr 2026 22:32:43 +0200 Subject: cleaned up many scrits and deleted some that were of no use; renamed a lot --- .../db/public/apparmor/apparmor.d/usr.sbin.unbound | 56 ---------------------- 1 file changed, 56 deletions(-) delete mode 100644 straper/db/public/apparmor/apparmor.d/usr.sbin.unbound (limited to 'straper/db/public/apparmor/apparmor.d/usr.sbin.unbound') diff --git a/straper/db/public/apparmor/apparmor.d/usr.sbin.unbound b/straper/db/public/apparmor/apparmor.d/usr.sbin.unbound deleted file mode 100644 index 551bfc8..0000000 --- a/straper/db/public/apparmor/apparmor.d/usr.sbin.unbound +++ /dev/null @@ -1,56 +0,0 @@ -# Author: Simon Deziel -# vim:syntax=apparmor -#include - -profile unbound /usr/sbin/unbound flags=(attach_disconnected) { - #include - #include - #include - - # chown (chgrp) the Unix control socket - capability chown, - # chmod the Unix control socket - capability fowner, - capability fsetid, - - # added to abstractions/nameservices in Apparmor 2.12 - /var/lib/sss/mc/initgroups r, - - capability net_bind_service, - capability setgid, - capability setuid, - capability sys_chroot, - capability sys_resource, - - # root hints from dns-data-root - /usr/share/dns/root.* r, - - # non-chrooted paths - /etc/unbound/** r, - owner /etc/unbound/*.key* rw, - # explicitly deny (and audit) attempts to write to the key files - # this should be unnecessary after switch to /run/unbound.ctl control socket - # (here and below) - audit deny /etc/unbound/unbound_control.{key,pem} rw, - audit deny /etc/unbound/unbound_server.key w, - - # chrooted paths - # unbound can be chrooted into /etc/unbound (upstream default) with - # /var/lib/unbound/ bind-mounted to /etc/unbound/var/lib/unbound/, - # or it can be chrooted into /var/lib/unbound/ with /etc/unbound/ copied - # into there (previous debian package default). - /{,etc/unbound/}var/lib/unbound/** r, - owner /{,etc/unbound/}var/lib/unbound/** rw, - audit deny /{,etc/unbound/}var/lib/unbound/**/unbound_control.{key,pem} rw, - audit deny /{,etc/unbound/}var/lib/unbound/**/unbound_server.key w, - - /usr/sbin/unbound mr, - - /run/systemd/notify w, - /run/unbound.pid rw, - - # Unix control socket - /run/unbound.ctl rw, - - #include -} -- cgit v1.3