From 854025fedc9d84869c85410646cc814e0b541452 Mon Sep 17 00:00:00 2001 From: barmogund Date: Sat, 9 Nov 2024 20:25:04 +0100 Subject: [PATCH] Create unbound --- apparmor.d/profiles-s-z/unbound | 64 +++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 apparmor.d/profiles-s-z/unbound diff --git a/apparmor.d/profiles-s-z/unbound b/apparmor.d/profiles-s-z/unbound new file mode 100644 index 000000000..0ae7d8a8e --- /dev/null +++ b/apparmor.d/profiles-s-z/unbound @@ -0,0 +1,64 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# Copyright (C) 2024 Barmogund +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +{exec_path} = @{bin}/unbound +profile unbound @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + capability net_bind_service, + capability net_raw, + capability sys_resource, + capability sys_chroot, + capability setgid, + capability setuid, + capability setpcap, + + network unix stream, + network unix dgram, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + signal (receive) set=(term, cont) peer=runsv, + #aa:dbus own bus=system name=org.freedesktop.resolve1 + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-system), + + @{exec_path} mr, + + /etc/unbound/{,**} rw, + /etc/systemd/resolved.conf r, + /etc/systemd/resolved.conf.d/{,*} r, + + @{run}/systemd/netif/links/* r, + @{run}/systemd/notify rw, + @{run}/systemd/resolve/{,**} rw, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/ r, + owner @{PROC}/@{pids}/fd/ r, + @{PROC}/pressure/* r, + @{PROC}/sys/kernel/hostname r, + @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, + + include if exists +} + +# vim:syntax=apparmor