# Author: Simon Deziel # vim:syntax=apparmor #include profile unbound /usr/sbin/unbound flags=(attach_disconnected) { #include #include #include # chown (chgrp) the Unix control socket capability chown, # chmod the Unix control socket capability fowner, capability fsetid, # added to abstractions/nameservices in Apparmor 2.12 /var/lib/sss/mc/initgroups r, capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, # root hints from dns-data-root /usr/share/dns/root.* r, # non-chrooted paths /etc/unbound/** r, owner /etc/unbound/*.key* rw, # explicitly deny (and audit) attempts to write to the key files # this should be unnecessary after switch to /run/unbound.ctl control socket # (here and below) audit deny /etc/unbound/unbound_control.{key,pem} rw, audit deny /etc/unbound/unbound_server.key w, # chrooted paths # unbound can be chrooted into /etc/unbound (upstream default) with # /var/lib/unbound/ bind-mounted to /etc/unbound/var/lib/unbound/, # or it can be chrooted into /var/lib/unbound/ with /etc/unbound/ copied # into there (previous debian package default). /{,etc/unbound/}var/lib/unbound/** r, owner /{,etc/unbound/}var/lib/unbound/** rw, audit deny /{,etc/unbound/}var/lib/unbound/**/unbound_control.{key,pem} rw, audit deny /{,etc/unbound/}var/lib/unbound/**/unbound_server.key w, /usr/sbin/unbound mr, /run/systemd/notify w, /run/unbound.pid rw, # Unix control socket /run/unbound.ctl rw, #include }