diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2019-06-26 18:50:46 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-06-26 18:50:46 +0000 |
commit | 6da539894c7ecbcf43d3e9910c90f25ea5eb662d (patch) | |
tree | 3ff9ae6b8981bfb9accc01442d37a9cae95a8199 /etc/unbound.profile | |
parent | whitespace fix (diff) | |
download | firejail-6da539894c7ecbcf43d3e9910c90f25ea5eb662d.tar.gz firejail-6da539894c7ecbcf43d3e9910c90f25ea5eb662d.tar.zst firejail-6da539894c7ecbcf43d3e9910c90f25ea5eb662d.zip |
Hardening a few profiles (#2800)
* Harden curl.profile
* Harden dnscrypt-proxy.profile
* Harden unbound.profile
* Harden unbound.profile
Diffstat (limited to 'etc/unbound.profile')
-rw-r--r-- | etc/unbound.profile | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/etc/unbound.profile b/etc/unbound.profile index e152ee7ea..7d1c36d2f 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -13,6 +13,7 @@ blacklist /tmp/.X11-unix | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -22,13 +23,18 @@ whitelist /var/lib/unbound | |||
22 | whitelist /var/run | 23 | whitelist /var/run |
23 | 24 | ||
24 | caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource | 25 | caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource |
26 | ipc-namespace | ||
27 | machine-id | ||
28 | netfilter | ||
25 | no3d | 29 | no3d |
30 | nodbus | ||
26 | nodvd | 31 | nodvd |
27 | nonewprivs | 32 | nonewprivs |
28 | nosound | 33 | nosound |
29 | notv | 34 | notv |
30 | nou2f | 35 | nou2f |
31 | novideo | 36 | novideo |
37 | protocol inet,inet6 | ||
32 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice | 38 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice |
33 | 39 | ||
34 | disable-mnt | 40 | disable-mnt |