unbound fix (writable-var) - #1731

author: smitsohu <smitsohu@gmail.com> 2018-01-31 20:51:47 +0100
committer: GitHub <noreply@github.com> 2018-01-31 20:51:47 +0100
commit: 3b7882f84aa57c6b928d56e7682a90bfe13445d2 (patch)
tree: 89dc43f032c7f29db74009407ce3104174c6d61d /etc/unbound.profile
parent: overlay fixes and additional hardening (diff)
download: firejail-3b7882f84aa57c6b928d56e7682a90bfe13445d2.tar.gz
firejail-3b7882f84aa57c6b928d56e7682a90bfe13445d2.tar.zst
firejail-3b7882f84aa57c6b928d56e7682a90bfe13445d2.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/etc/unbound.profile b/etc/unbound.profile
index c03a25752..f3bb4f852 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+whitelist /var/lib/unbound
 caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
 no3d
 nodvd
@@ -23,6 +25,7 @@ nosound
 notv
 novideo
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
+writable-var
 disable-mnt
 private
author	smitsohu <smitsohu@gmail.com>	2018-01-31 20:51:47 +0100
committer	GitHub <noreply@github.com>	2018-01-31 20:51:47 +0100
commit	3b7882f84aa57c6b928d56e7682a90bfe13445d2 (patch)
tree	89dc43f032c7f29db74009407ce3104174c6d61d /etc/unbound.profile
parent	overlay fixes and additional hardening (diff)
download	firejail-3b7882f84aa57c6b928d56e7682a90bfe13445d2.tar.gz firejail-3b7882f84aa57c6b928d56e7682a90bfe13445d2.tar.zst firejail-3b7882f84aa57c6b928d56e7682a90bfe13445d2.zip

diff --git a/etc/unbound.profile b/etc/unbound.profile index c03a25752..f3bb4f852 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
15	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
16	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
17		17
		18	whitelist /var/lib/unbound
		19
18	caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource	20	caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
19	no3d	21	no3d
20	nodvd	22	nodvd
@@ -23,6 +25,7 @@ nosound
23	notv	25	notv
24	novideo	26	novideo
25	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open	27	seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
		28	writable-var
26		29
27	disable-mnt	30	disable-mnt
28	private	31	private