abi <abi/3.0>,

include <tunables/global>

profile unbound /{usr/,}sbin/unbound {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  network inet,
  network inet6,
  network netlink,

  capability net_bind_service,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability dac_override,

  /{usr/,}sbin/unbound rm,


  /etc/unbound/unbound.conf r,
  /etc/unbound/dlv.isc.org.key r,
  /etc/unbound/icannbundle.pem r,
  /etc/unbound/root.key r,
  /etc/unbound/conf.d/ r,
  /etc/unbound/conf.d/*.conf r,
  /etc/unbound/keys.d/ r,
  /etc/unbound/keys.d/*.key r,
  /etc/unbound/local.d/ r,
  /etc/unbound/local.d/*.conf r,
  /etc/unbound/unbound_server.key r,
  /etc/unbound/unbound_server.pem r,
  /etc/unbound/unbound_control.key r,
  /etc/unbound/unbound_control.pem r,
  /usr/share/unbound/root.key r,

  /var/lib/unbound/root.key* rwlk,

  /run/unbound/unbound.pid rwlk,

  include if exists <local/unbound>
}
