addons/dnsmasq/apparmor.txt

#include <tunables/global>

profile dnsmasq flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability dac_override,
  network inet raw,
  network inet6 raw,

  /bin/busybox ix,
  /bin/bash ix,
  /usr/bin/jq ix,
  /usr/sbin/dnsmasq ix,

  /etc/dnsmasq.conf rw,
  /{,var/}run/*dnsmasq*.pid w,
  /{,var/}run/dnsmasq/ r,
  /{,var/}run/dnsmasq/* rw,

  /usr/lib/bashio/bashio ix,
  /dev/tty rw,
  /tmp/* rw,

  /run.sh rix,
  /data/** r,
}