Update unbound profile to block 3D acceleration.

There is no legitimate reason for a caching DNS resolver to need 3D acceleration. Unbound adheres to this already, so any attempts to access GPU hardware from it are by definition either bugs or the result of an exploit, so let's just block access to the GPU.
author: Austin S. Hemmelgarn <ahferroin7@gmail.com> 2017-02-15 07:52:22 -0500
committer: GitHub <noreply@github.com> 2017-02-15 07:52:22 -0500
commit: fe45ca43c468a21e225a05beda867f93db88f897 (patch)
tree: c0de91accafefb2d1cc40694b0d99133e9d0dd7b /etc/unbound.profile
parent: merge #1100 from zackw: rework DISPLAY environment parsing, rework masking X... (diff)
download: firejail-fe45ca43c468a21e225a05beda867f93db88f897.tar.gz
firejail-fe45ca43c468a21e225a05beda867f93db88f897.tar.zst
firejail-fe45ca43c468a21e225a05beda867f93db88f897.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/etc/unbound.profile b/etc/unbound.profile
index af8d7b374..0bd46b7f4 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -13,5 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc
 private
 private-dev
 nosound
+no3d
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
author	Austin S. Hemmelgarn <ahferroin7@gmail.com>	2017-02-15 07:52:22 -0500
committer	GitHub <noreply@github.com>	2017-02-15 07:52:22 -0500
commit	fe45ca43c468a21e225a05beda867f93db88f897 (patch)
tree	c0de91accafefb2d1cc40694b0d99133e9d0dd7b /etc/unbound.profile
parent	merge #1100 from zackw: rework DISPLAY environment parsing, rework masking X... (diff)
download	firejail-fe45ca43c468a21e225a05beda867f93db88f897.tar.gz firejail-fe45ca43c468a21e225a05beda867f93db88f897.tar.zst firejail-fe45ca43c468a21e225a05beda867f93db88f897.zip

diff --git a/etc/unbound.profile b/etc/unbound.profile index af8d7b374..0bd46b7f4 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile
@@ -13,5 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc
13	private	13	private
14	private-dev	14	private-dev
15	nosound	15	nosound
		16	no3d
16	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open	17	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
17		18