Code review comment for lp:~sdeziel/apparmor-profiles/unbound-refresh

Hmm, I might have been too quick to add the caps denial. I understand your concern about masking future problems but on the other hand, Apparmor denials would have people wondering about what's going on.

I was tempted to ask upstream to skip the chown'ing if the PID is outside of the chroot but then one setting the PID to be in the chroot would be missing the caps... Would that be the least bad option?