3 files changed, 15 insertions, 1 deletions
diff --git a/etc/curl.profile b/etc/curl.profile
index 76beee46a..d8282b972 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -17,8 +17,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 caps.drop all
+ipc-namespace
+machine-id
 netfilter
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -27,7 +30,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol inet,inet6
 seccomp
 shell none
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index ae248f2e8..169b23f5f 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -13,19 +13,24 @@ blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
+ipc-namespace
+machine-id
 no3d
+nodbus
 nodvd
 nonewprivs
 nosound
 notv
 nou2f
 novideo
+protocol inet,inet6
 seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
 disable-mnt
diff --git a/etc/unbound.profile b/etc/unbound.profile
index e152ee7ea..7d1c36d2f 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -13,6 +13,7 @@ blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -22,13 +23,18 @@ whitelist /var/lib/unbound
 whitelist /var/run
 caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+ipc-namespace
+machine-id
+netfilter
 no3d
+nodbus
 nodvd
 nonewprivs
 nosound
 notv
 nou2f
 novideo
+protocol inet,inet6
 seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
 disable-mnt

diff --git a/etc/curl.profile b/etc/curl.profile index 76beee46a..d8282b972 100644 --- a/etc/curl.profile +++ b/etc/curl.profile
@@ -17,8 +17,11 @@ include disable-passwdmgr.inc
17	include disable-programs.inc	17	include disable-programs.inc
18		18
19	caps.drop all	19	caps.drop all
		20	ipc-namespace
		21	machine-id
20	netfilter	22	netfilter
21	no3d	23	no3d
		24	nodbus
22	nodvd	25	nodvd
23	nogroups	26	nogroups
24	nonewprivs	27	nonewprivs
@@ -27,7 +30,7 @@ nosound
27	notv	30	notv
28	nou2f	31	nou2f
29	novideo	32	novideo
30	protocol unix,inet,inet6	33	protocol inet,inet6
31	seccomp	34	seccomp
32	shell none	35	shell none
33		36


diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index ae248f2e8..169b23f5f 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile
@@ -13,19 +13,24 @@ blacklist /tmp/.X11-unix
13		13
14	include disable-common.inc	14	include disable-common.inc
15	include disable-devel.inc	15	include disable-devel.inc
		16	include disable-exec.inc
16	include disable-interpreters.inc	17	include disable-interpreters.inc
17	include disable-passwdmgr.inc	18	include disable-passwdmgr.inc
18	include disable-programs.inc	19	include disable-programs.inc
19	include disable-xdg.inc	20	include disable-xdg.inc
20		21
21	caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot	22	caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
		23	ipc-namespace
		24	machine-id
22	no3d	25	no3d
		26	nodbus
23	nodvd	27	nodvd
24	nonewprivs	28	nonewprivs
25	nosound	29	nosound
26	notv	30	notv
27	nou2f	31	nou2f
28	novideo	32	novideo
		33	protocol inet,inet6
29	seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice	34	seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
30		35
31	disable-mnt	36	disable-mnt


diff --git a/etc/unbound.profile b/etc/unbound.profile index e152ee7ea..7d1c36d2f 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile
@@ -13,6 +13,7 @@ blacklist /tmp/.X11-unix
13		13
14	include disable-common.inc	14	include disable-common.inc
15	include disable-devel.inc	15	include disable-devel.inc
		16	include disable-exec.inc
16	include disable-interpreters.inc	17	include disable-interpreters.inc
17	include disable-passwdmgr.inc	18	include disable-passwdmgr.inc
18	include disable-programs.inc	19	include disable-programs.inc
@@ -22,13 +23,18 @@ whitelist /var/lib/unbound
22	whitelist /var/run	23	whitelist /var/run
23		24
24	caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource	25	caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
		26	ipc-namespace
		27	machine-id
		28	netfilter
25	no3d	29	no3d
		30	nodbus
26	nodvd	31	nodvd
27	nonewprivs	32	nonewprivs
28	nosound	33	nosound
29	notv	34	notv
30	nou2f	35	nou2f
31	novideo	36	novideo
		37	protocol inet,inet6
32	seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice	38	seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
33		39
34	disable-mnt	40	disable-mnt