1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
# Author: Simon Deziel
# vim:syntax=apparmor
#include <tunables/global>
profile unbound /usr/sbin/unbound flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
# chown (chgrp) the Unix control socket
capability chown,
# chmod the Unix control socket
capability fowner,
capability fsetid,
# added to abstractions/nameservices in Apparmor 2.12
/var/lib/sss/mc/initgroups r,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# root hints from dns-data-root
/usr/share/dns/root.* r,
# non-chrooted paths
/etc/unbound/** r,
owner /etc/unbound/*.key* rw,
# explicitly deny (and audit) attempts to write to the key files
# this should be unnecessary after switch to /run/unbound.ctl control socket
# (here and below)
audit deny /etc/unbound/unbound_control.{key,pem} rw,
audit deny /etc/unbound/unbound_server.key w,
# chrooted paths
# unbound can be chrooted into /etc/unbound (upstream default) with
# /var/lib/unbound/ bind-mounted to /etc/unbound/var/lib/unbound/,
# or it can be chrooted into /var/lib/unbound/ with /etc/unbound/ copied
# into there (previous debian package default).
/{,etc/unbound/}var/lib/unbound/** r,
owner /{,etc/unbound/}var/lib/unbound/** rw,
audit deny /{,etc/unbound/}var/lib/unbound/**/unbound_control.{key,pem} rw,
audit deny /{,etc/unbound/}var/lib/unbound/**/unbound_server.key w,
/usr/sbin/unbound mr,
/run/systemd/notify w,
/run/unbound.pid rw,
# Unix control socket
/run/unbound.ctl rw,
#include <local/usr.sbin.unbound>
}
|