From ace53f3002531730a262245b27d62c16a65efc7c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 15 Aug 2025 10:35:19 +0200
Subject: [PATCH] feat(profile): openvpn need to load module.

See #811
---
 apparmor.d/groups/network/openvpn | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn
index a6ff1a939..b5a6b83ef 100644
--- a/apparmor.d/groups/network/openvpn
+++ b/apparmor.d/groups/network/openvpn
@@ -27,17 +27,12 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
-  # Needed to remove the following errors:
-  #  ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
-  #  Exiting due to fatal error
-  capability net_admin,
-
-  # These are needed when user/group are set in a OpenVPN config file
-  capability setuid,
-  capability setgid,
-
-  capability dac_read_search,
   capability dac_override,
+  capability dac_read_search,
+  capability net_admin, # create tun
+  capability setgid, # when user/group are set in a OpenVPN config file
+  capability setuid,
+  capability sys_module,
 
   network inet dgram,
   network inet6 dgram,