knot-resolver/scripts/kresd.apparmor

#include <tunables/global>

/usr/sbin/kresd {
  #include <abstractions/base>
  #include <abstractions/p11-kit>
  #include <abstractions/nameservice>
  capability net_bind_service,
  capability setgid,
  capability setuid,
  # seems to be needed during start to read /var/lib/knot-resolver
  # while we still run as root.
  capability dac_override,

  network tcp,
  network udp,

  /proc/sys/net/core/somaxconn r,
  /etc/knot-resolver/* r,
  /var/lib/knot-resolver/ r,
  /var/lib/knot-resolver/** rwlk,

  # modules
  /usr/lib{,64}/kdns_modules/*.lua r,
  /usr/lib{,64}/kdns_modules/*.so rm,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.kresd>
}