Hardening a few profiles (#2800)

* Harden curl.profile

* Harden dnscrypt-proxy.profile

* Harden unbound.profile

* Harden unbound.profile

1 files changed, 6 insertions, 0 deletions

diff --git a/etc/unbound.profile b/etc/unbound.profile
index e152ee7ea..7d1c36d2f 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -13,6 +13,7 @@ blacklist /tmp/.X11-unix
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -22,13 +23,18 @@ whitelist /var/lib/unbound
 whitelist /var/run
 
 caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+ipc-namespace
+machine-id
+netfilter
 no3d
+nodbus
 nodvd
 nonewprivs
 nosound
 notv
 nou2f
 novideo
+protocol inet,inet6
 seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
 
 disable-mnt