Hi,
Here is a profile derived from the one made by Ondřej Surý. It supports
running unbound chroot'ed and with a dedicated user/group.
The chroot support works best in conjunction with my patch posted in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579622#25
Thank you,
Simon
# vim:syntax=apparmor
#include <tunables/global>
/usr/sbin/unbound {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability chown,
capability sys_chroot,
capability sys_resource,
capability dac_override,
# for networking
owner @{PROC}/[0-9]*/net/if_inet6 r,
owner @{PROC}/[0-9]*/net/ipv6_route r,
/etc/unbound/** r,
owner /etc/unbound/*.key rw,
audit deny /etc/unbound/unbound_server.key w,
audit deny /etc/unbound/unbound_control.key w,
/var/lib/unbound/** r,
owner /var/lib/unbound/**/*.key rw,
/etc/ssl/openssl.cnf r,
/usr/sbin/unbound mr,
/var/run/unbound.pid rw,
}
