# vim:syntax=apparmor
# Last Modified: Tue Mar  9 14:17:50 EST 2021
#include <tunables/global>

/usr/sbin/named flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,

  # Database file used by allow-new-zones
  /var/cache/bind/_default.nzd-lock rwk,

  # gssapi
  /etc/krb5.keytab kr,
  /etc/bind/krb5.keytab kr,

  # ssl
  /etc/ssl/openssl.cnf r,

  # root hints from dns-data-root
  /usr/share/dns/root.* r,

  # GeoIP data files for GeoIP ACLs
  /usr/share/GeoIP/** r,

  # dnscvsutil package
  /var/lib/dnscvsutil/compiled/** rw,

  # Allow changing worker thread names
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  @{PROC}/net/if_inet6 r,
  @{PROC}/*/net/if_inet6 r,
  @{PROC}/sys/net/ipv4/ip_local_port_range r,
  /usr/sbin/named mr,
  /{,var/}run/named/named.pid w,
  /{,var/}run/named/session.key w,
  # support for resolvconf
  /{,var/}run/named/named.options r,

  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  {{ bind_log_file }} rw,
{% if bind_query_file_enabled | bool %}
  {{ bind_query_file }} rw,
{% endif %}

  # gssapi
  /var/lib/sss/pubconf/krb5.include.d/** r,
  /var/lib/sss/pubconf/krb5.include.d/ r,
  /var/lib/sss/mc/initgroups r,
  /etc/gss/mech.d/ r,

  # ldap
  /etc/ldap/ldap.conf r,
  /{,var/}run/slapd-*.socket rw,

  # dynamic updates
  /var/tmp/DNS_* rw,

  # dyndb backends
  /usr/lib/bind/*.so rm,

  # Samba DLZ
  /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
  /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
  /var/lib/samba/bind-dns/dns.keytab rk,
  /var/lib/samba/bind-dns/named.conf r,
  /var/lib/samba/bind-dns/dns/** rwk,
  /var/lib/samba/private/dns.keytab rk,
  /var/lib/samba/private/named.conf r,
  /var/lib/samba/private/dns/** rwk,
  /etc/samba/smb.conf r,
  /dev/urandom rwmk,
  owner /var/tmp/krb5_* rwk,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.named>
}